Edit tour

Windows Analysis Report
PO454355 Pdf.exe

Overview

General Information

Sample name:	PO454355 Pdf.exe
Analysis ID:	1466132
MD5:	2d8c7cd70698ef3b6d1a3e042de0a93a
SHA1:	c73700a78a391e61b9ca3535c8d26dde12035808
SHA256:	657f1fddc9566fb412981480dcc6f6600219c6e5ca756070fe5b15baaa3843ce
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

PO454355 Pdf.exe (PID: 5072 cmdline: "C:\Users\user\Desktop\PO454355 Pdf.exe" MD5: 2D8C7CD70698EF3B6D1A3E042DE0A93A)

conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 4932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

WerFault.exe (PID: 1588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 20 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.4 - Destination IP: 3.33.244.179

Timestamp:	07/02/24-15:46:31.893078
SID:	2856318
Source Port:	62736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO454355 Pdf.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PO454355 Pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8D21C50
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8D21C50
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF6E8DE3D20
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rbx	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rsi	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push rdi	0_2_00007FF6E8DADD30
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 4x nop then push r14	0_2_00007FF6E8E5D7E0

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:62736 -> 3.33.244.179:80

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: PO454355 Pdf.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: PO454355 Pdf.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: PO454355 Pdf.exe, 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: PO454355 Pdf.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: PO454355 Pdf.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy

Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D521B0	0_2_00007FF6E8D521B0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D538B0	0_2_00007FF6E8D538B0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D531E0	0_2_00007FF6E8D531E0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D381F0	0_2_00007FF6E8D381F0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D239D0	0_2_00007FF6E8D239D0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D571B0	0_2_00007FF6E8D571B0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D529B0	0_2_00007FF6E8D529B0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D54B10	0_2_00007FF6E8D54B10
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D282D0	0_2_00007FF6E8D282D0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D402A0	0_2_00007FF6E8D402A0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D39A90	0_2_00007FF6E8D39A90
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D4BC80	0_2_00007FF6E8D4BC80
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D46C90	0_2_00007FF6E8D46C90
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D55490	0_2_00007FF6E8D55490
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D3D620	0_2_00007FF6E8D3D620
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D41D60	0_2_00007FF6E8D41D60
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D33EF0	0_2_00007FF6E8D33EF0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D2B6F0	0_2_00007FF6E8D2B6F0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D26ED0	0_2_00007FF6E8D26ED0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D567E0	0_2_00007FF6E8D567E0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D4C7D0	0_2_00007FF6E8D4C7D0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D417B4	0_2_00007FF6E8D417B4
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D2BF90	0_2_00007FF6E8D2BF90
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8DD7F40	0_2_00007FF6E8DD7F40
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D33130	0_2_00007FF6E8D33130
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D5E8E0	0_2_00007FF6E8D5E8E0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D558C0	0_2_00007FF6E8D558C0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D4C0A0	0_2_00007FF6E8D4C0A0
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D32080	0_2_00007FF6E8D32080

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Code function: String function: 00007FF6E8D2DBD0 appears 64 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 20

Source: PO454355 Pdf.exe	Binary or memory string: OriginalFilename vs PO454355 Pdf.exe
Source: PO454355 Pdf.exe, 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIFormattableGetEnumNames.dllR vs PO454355 Pdf.exe
Source: PO454355 Pdf.exe	Binary or memory string: OriginalFilenameIFormattableGetEnumNames.dllR vs PO454355 Pdf.exe

Source: PO454355 Pdf.exe

Static PE information: Section: .rsrc ZLIB complexity 0.996648656542056

Source: classification engine

Classification label: mal72.evad.winEXE@5/5@1/0

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Code function: 0_2_00007FF6E8D32F60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF6E8D32F60

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4932

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2c83fdca-92d8-417c-9c3e-a3d64b15695c

Jump to behavior

Source: PO454355 Pdf.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO454355 Pdf.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

File read: C:\Users\user\Desktop\PO454355 Pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO454355 Pdf.exe "C:\Users\user\Desktop\PO454355 Pdf.exe"
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 20
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Section loaded: profapi.dll	Jump to behavior

Source: PO454355 Pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PO454355 Pdf.exe

Static file information: File size 2404352 > 1048576

Source: PO454355 Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO454355 Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO454355 Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO454355 Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO454355 Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO454355 Pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO454355 Pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: PO454355 Pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: PO454355 Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO454355 Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO454355 Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO454355 Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO454355 Pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: PO454355 Pdf.exe	Static PE information: section name: .managed
Source: PO454355 Pdf.exe	Static PE information: section name: hydrated

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Memory allocated: 22E8B970000 memory reserve | memory write watch

Jump to behavior

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-16396

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Code function: 0_2_00007FF6E8D32B90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF6E8D32B90

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: PO454355 Pdf.exe	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D28130 RtlAddVectoredExceptionHandler,RaiseFailFastException,		0_2_00007FF6E8D28130
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Code function: 0_2_00007FF6E8D8B70C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF6E8D8B70C

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\PO454355 Pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4EE0008	Jump to behavior

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Code function: 0_2_00007FF6E8D8BDA4 cpuid

0_2_00007FF6E8D8BDA4

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Code function: GetLocaleInfoEx,

0_2_00007FF6E8DF0D30

Source: C:\Users\user\Desktop\PO454355 Pdf.exe

Code function: 0_2_00007FF6E8D8BA10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6E8D8BA10

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	1 Access Token Manipulation	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	311 Process Injection	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO454355 Pdf.exe	45%	ReversingLabs	Win64.Trojan.Stealerc

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://aka.ms/GlobalizationInvariantMode	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-c	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibilityY	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibility	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://aka.ms/GlobalizationInvariantMode	PO454355 Pdf.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-c	PO454355 Pdf.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	PO454355 Pdf.exe, 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityY	PO454355 Pdf.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	PO454355 Pdf.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466132
Start date and time:	2024-07-02 15:57:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO454355 Pdf.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@5/5@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: PO454355 Pdf.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_ce89fc30-2665-47d9-b3d6-2c5173e453ca\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5800896353847202
Encrypted:	false
SSDEEP:	96:OaFN19bsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAhf/VXT5NHBg:dH19bk0WbkQzuiFJZ24IO8b
MD5:	31C96EDEB094B400D4C2DFDF5AADB2AC
SHA1:	E7B71D49B1D2061F81A97EF6FD3A62081553DF68
SHA-256:	061EE7EC848071B822485A6264EF1B24AF2C0969D24423F7DA86DEE33F6F1C62
SHA-512:	B3887771904A9A848E7201505F050520AF7093D8EC73948AEF927037CDE29B2D91CC7789B7DE61472BFAE1F2BBC34C4D36E644F596B0BA54C1D661CAA0C71687
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.0.2.2.7.4.6.5.5.3.2.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.0.2.2.7.9.0.1.4.7.0.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.8.9.f.c.3.0.-.2.6.6.5.-.4.7.d.9.-.b.3.d.6.-.2.c.5.1.7.3.e.4.5.3.c.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.5.c.c.5.a.4.-.c.6.6.1.-.4.a.e.9.-.a.a.c.1.-.d.f.b.2.a.8.c.a.e.1.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.4.4.-.0.0.0.1.-.0.0.1.5.-.4.3.8.6.-.a.8.d.5.8.7.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.b.4.0.2.f.b.2.4.b.2.0.6.c.4.a.3.7.8.a.7.4.f.d.6.4.9.c.6.0.a.4.1.3.c.e.5.a.9.2.!.c.s.c...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER258B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6244
Entropy (8bit):	3.695815268918576
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbW4O6OYR+V+Cbt5aMeUKq89bAxJsfayhm:R6l7wVeJW4O6OYUppxx89bAxJsfayhm
MD5:	0738791E8695DEAC21E8A91ACE43B4B3
SHA1:	EA7C484A08280CED7983146F5D653715E2F94EC1
SHA-256:	F521E1F933948728052BCE29C37C46628812E790D6E919D2472D1DFBC5488BBF
SHA-512:	B04AD0F7AB912857A78A332508C94FFEAB670472D7168CD7034DC2402EDB73988FB6D5E29063A4A484BA53EF2C4C64F7CEFA63C762C20DEA0ED3B9CD07381B54
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2618.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4564
Entropy (8bit):	4.42183870608659
Encrypted:	false
SSDEEP:	48:cvIwWl8zs4iJg77aI9aVWpW8VY0Ym8M4JTHF2+q87YdH3oz9d:uIjf4wI7Uk7VwJYzdH3W9d
MD5:	254488C7BC11443C4D21015919A87DBA
SHA1:	DACEFDC52AC6F3CF1C565C31A1EBF2BA4BF70555
SHA-256:	86BE16DD040BF30BA916B729F4A7C62B34FE561DC21AFF4AB03B4DDC7FFADF3C
SHA-512:	E6F6E2FE146B3D3BB5F372AABC97F683DFCE8471A4B5B7CA05DB9BD05F97F872220F6F59EA5009B91996C006EC6EC61A34473C872DCACC78CE9FD216BC29FD3A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393420" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\WER15BB.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	3.2428824725333505
Encrypted:	false
SSDEEP:	96:pwpIitkXkkX5kuguWL0Qg0QF0Qge0QXs0Qi0QQTHgmXQcszeuzSzbxGQI5/msspJ:pglY+uIYyoeyOkNe
MD5:	25D111C7DBD3093C2EDB2F83618E88A8
SHA1:	6324AE2F2074ADCEDD1DD09628F181BA8D289EE1
SHA-256:	76379A7C933C7C57367C63CEDE85F079C8F5E14FD79F1F804A749BE1DEBE48D7
SHA-512:	9ABC4E3F9F17246548BE53F8092154F61C8A539C1D63F7CC85F55AE957771AE73741C60FAB9BD3E90A1A10023184277C8FA5958BCB4FC2DD40422668DA318F51
Malicious:	false
Reputation:	low
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.4.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .3.5.1.5.2.5.3. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469257901838899
Encrypted:	false
SSDEEP:	6144:NzZfpi6ceLPx9skLmb0f6ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNrjDH5S:FZHt6ZWOKnMM6bFpdj4
MD5:	BCCAEBFC928C2A68987645C376349C6A
SHA1:	E0B872306243EDCA5FB562580F3625BCBD224104
SHA-256:	0213213DA5C46237C811B47D6C769243A4A0A5F8D26EF74A20A5EF0F0666210B
SHA-512:	955F97DFA9CA95D214AA12541343B9AFBC7DA57134E5E7D19C7DC6013BC4035D05DC90683609D19BC70D7B7F74CF06F07510B52A6F3E072E6DD07ED7EFDC9996
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf?.................................................................................................................................................................................................................................................................................................................................................G...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.055430688577327
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	PO454355 Pdf.exe
File size:	2'404'352 bytes
MD5:	2d8c7cd70698ef3b6d1a3e042de0a93a
SHA1:	c73700a78a391e61b9ca3535c8d26dde12035808
SHA256:	657f1fddc9566fb412981480dcc6f6600219c6e5ca756070fe5b15baaa3843ce
SHA512:	a1ddd9992088aa6488d15235bb8985ac366dbe0614636eb4522a66ce5d173477e53421e5d01b6a57df9eebf838b1362cc5222690cb0712079c21e0d4aa9c0ba1
SSDEEP:	49152:EF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUxeaw1GnNOmyVS5ks:2roA7PqryV2
TLSH:	9EB5AD15E3E801A8D87BD634CA62A333DBB078961730D58F0659D6592F73EA19B3F312
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Ec...c...c....v..j....v..n....v..M...j.D.m...(...h...c...n....w..k....w..b...c...b....w..$...pq..b...pq..b...Richc..........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14006b3dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x667DA332 [Thu Jun 27 17:36:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	97f00b2383bd4369e5094078fdccae7a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA3ACD3C0E0h
dec eax
add esp, 28h
jmp 00007FA3ACD3B927h
int3
int3
jmp 00007FA3ACD3C45Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FA3ACD3BAC2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FA3ACD3BAC5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FA3ACD3BABDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FA3ACD3BAD2h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [001D73A9h]
jne 00007FA3ACD3BAC2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FA3ACD3BAB3h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x23ec60	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23ecb8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x264000	0x42cc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x250000	0x1368c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a7000	0x5ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x216600	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x216800	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2164c0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x198000	0x818	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6fef8	0x70000	dd316bc2c65b1ae399457fdba120fa82	False	0.45282200404575895	data	6.641185225824904	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0xd9b18	0xd9c00	74b435642e339cdb1b2a678eb60c92d8	False	0.4628401711394948	data	6.464502436229499	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0x14b000	0x4c540	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x198000	0xa89e4	0xa8a00	bd65f4b9688a88a524e0a85d128283af	False	0.48930341919940695	data	6.720992467115288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x241000	0xe668	0x1a00	f7893d3998d6fe23c3c2fd83a455cf8d	False	0.22581129807692307	data	3.2697501080046183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x250000	0x1368c	0x13800	e5aeded247d82c5d18901a5f5b1c4999	False	0.49800931490384615	data	6.163194359627306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x264000	0x42cc8	0x42e00	189fa122086a1fba0d211d37182b20dc	False	0.996648656542056	data	7.998290963932367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a7000	0x5ec	0x600	22b17bd43d0ff4894ef88b7e105d8348	False	0.5989583333333334	data	5.299377162126531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x26411c	0x42684	data	1.000334553903619
RT_VERSION	0x2a67a0	0x33c	data	0.3828502415458937
RT_MANIFEST	0x2a6adc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
bcrypt.dll	BCryptDestroyKey, BCryptEncrypt, BCryptGenRandom, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptImportKey
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CompareStringEx, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EnumCalendarInfoExEx, EnumTimeFormatsEx, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNLSStringEx, FindNextFileW, FindStringOrdinal, FlushFileBuffers, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetCalendarInfoEx, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLocaleInfoEx, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemDirectoryW, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetUserPreferredUILanguages, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LCMapStringEx, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, LocaleNameToLCID, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResolveLocaleName, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CoWaitForMultipleHandles, CoInitializeEx, CoCreateGuid, CoGetApartmentType
USER32.dll	LoadStringW
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, floor, pow, modf, sin, cos, ceil, tan
api-ms-win-crt-heap-l1-1-0.dll	free, calloc, _set_new_mode, malloc, _callnewh
api-ms-win-crt-string-l1-1-0.dll	strncpy_s, strcpy_s, _stricmp, wcsncmp, strcmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	_register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, terminate, _crt_atexit, _initterm, _register_onexit_function, _get_initial_wide_environment, abort, _initialize_onexit_table, _initialize_wide_environment, _configure_wide_argv, _seh_filter_exe, _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, __p__commode, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vsprintf_s, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
DotNetRuntimeDebugHeader	1	0x140241d50

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-15:46:31.893078	TCP	2856318	ETPRO TROJAN FormBook CnC Checkin (POST) M4	62736	80	192.168.2.4	3.33.244.179

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 15:58:25.363615036 CEST	53	57720	162.159.36.2	192.168.2.6
Jul 2, 2024 15:58:25.843803883 CEST	60876	53	192.168.2.6	1.1.1.1
Jul 2, 2024 15:58:25.851548910 CEST	53	60876	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 15:58:25.843803883 CEST	192.168.2.6	1.1.1.1	0x258b	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 15:58:25.851548910 CEST	1.1.1.1	192.168.2.6	0x258b	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	09:57:52
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\PO454355 Pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO454355 Pdf.exe"
Imagebase:	0x7ff6e8d20000
File size:	2'404'352 bytes
MD5 hash:	2D8C7CD70698EF3B6D1A3E042DE0A93A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:57:53
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:57:53
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x390000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:57:54
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 20
Imagebase:	0x870000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.7%
Total number of Nodes:	943
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF6E8D32B90 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32B9F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32BDD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32C09
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32C1A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32C29
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32CC0
GetProcessAffinityMask.KERNEL32 ref: 00007FF6E8D32CD3

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
Instruction ID: 511975474950c2cfc11118fc4d3c2c85d907aefd95b35aff51cb47286bf26f47
Opcode Fuzzy Hash: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
Instruction Fuzzy Hash: 43515133E1874686EB508F29E4443B963A1FB44B81F840232D94DC7365EE3EE909D74E

Function 00007FF6E8D28130 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E8D2D0F0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E8D2813F,?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D2D0FB
Part of subcall function 00007FF6E8D2D0F0: QueryInformationJobObject.KERNEL32 ref: 00007FF6E8D2D1CE

Part of subcall function 00007FF6E8D2CE80: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF6E8D28168,?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D2CE91

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF6E8D281C9
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D282B3

Strings

The required instruction sets are not supported by the current CPU., xrefs: 00007FF6E8D2829F
StressLogLevel, xrefs: 00007FF6E8D28225
TotalStressLogSize, xrefs: 00007FF6E8D281EA

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 2052584837-2841289747
Opcode ID: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
Instruction ID: 766208fc27449bf9637b1f9c2bafd8caef5c749779c072f4a234ccba258d2326
Opcode Fuzzy Hash: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
Instruction Fuzzy Hash: 18417D33E58A4281E610AB70A9027B96391AF41795F480331E94DE769BCF2EE85DC71F

Function 00007FF6E8D8BDA4 Relevance: 3.2, APIs: 2, Instructions: 199
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E8D8B4B9,?,?,?,?,00007FF6E8D2E7A1,?,?,?,00007FF6E8D2ED24,00000000,00000020,?), ref: 00007FF6E8D8BDBE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E8D8BDD4

Part of subcall function 00007FF6E8D8C204: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6E8D8C20D

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
Instruction ID: 024fdafe9b6d0762a2ca26adfeae04cfd7a6158d3ee954b470d94bf7f79155e2
Opcode Fuzzy Hash: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
Instruction Fuzzy Hash: B8818C73E186428EF7548F39A8417A837E0AB053A4F10673AD96EC76E0CE3EA444974D

Function 00007FF6E8D538B0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 7ac183430c0cba639e3ecd960606325245119737f18878573bcb73a7c9d029aa
Instruction ID: 36aca88756dc40bf7cebe8526e987bf1deb2c7c57f6f138fa195ba9f17abad7b
Opcode Fuzzy Hash: 7ac183430c0cba639e3ecd960606325245119737f18878573bcb73a7c9d029aa
Instruction Fuzzy Hash: C7028D73E2874686FA1A8B39A8413B876A2EF567C0F144736D40DD3260DF3FB485964E

Function 00007FF6E8D521B0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3394052d9c2137c2fbf3b89c3610aa84990dc952498e98284b1c9c34880cd2ed
Instruction ID: 49a03e75a385903dc1a67e76147e9a53e7299edf0e02e59e411d1923a4d9d80f
Opcode Fuzzy Hash: 3394052d9c2137c2fbf3b89c3610aa84990dc952498e98284b1c9c34880cd2ed
Instruction Fuzzy Hash: D5F19233D2DB4386F646DB34A9113B56251AFA57C0F149336E40DD32A2EF2FB894924E

Function 00007FF6E8D32750 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6E8D3278C
IsProcessInJob.KERNEL32 ref: 00007FF6E8D3279C
QueryInformationJobObject.KERNEL32 ref: 00007FF6E8D327CC
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6E8D3283E
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6E8D32879
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6E8D328C0

Strings

@, xrefs: 00007FF6E8D3286E
@, xrefs: 00007FF6E8D32826
@, xrefs: 00007FF6E8D328B5

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
Instruction ID: 2d0fb548056b26970c8aa4d16f3c7bcfde0979b83a90ed4b4a89a20b5dee8bc3
Opcode Fuzzy Hash: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
Instruction Fuzzy Hash: CC416733A08BC189EB718F21E4143A9B360FB44BA4F584335DAAD93AD8DF3DD8448749

Function 00007FF6E8D2D0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E8D2813F,?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D2D0FB

Part of subcall function 00007FF6E8D32B90: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32B9F
Part of subcall function 00007FF6E8D32B90: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32BDD
Part of subcall function 00007FF6E8D32B90: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32C09
Part of subcall function 00007FF6E8D32B90: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32C1A
Part of subcall function 00007FF6E8D32B90: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D2D11A), ref: 00007FF6E8D32C29

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E8D2813F,?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D2D16D
GetProcessAffinityMask.KERNEL32 ref: 00007FF6E8D2D180
QueryInformationJobObject.KERNEL32 ref: 00007FF6E8D2D1CE

Strings

PROCESSOR_COUNT, xrefs: 00007FF6E8D2D136

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
Instruction ID: 186c402da757dba5a700c4fb5b7f914fedc1857e564dd25f73581031c14dfc36
Opcode Fuzzy Hash: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
Instruction Fuzzy Hash: 1931A033A08A4686EB259B70E8443B963A1EF84394F440231D68DC7B95DF3EE80DC75E

Function 00007FF6E8D23630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF6E8DEF880), ref: 00007FF6E8D236D5
RaiseFailFastException.KERNEL32(?,?,?,00007FF6E8DEF880), ref: 00007FF6E8D23701
RaiseFailFastException.KERNEL32(?,?,?,00007FF6E8DEF880), ref: 00007FF6E8D2373A

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF6E8D23726

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 6d01acea836dd96b47c2c5e0993a22bc70c2472d024c1f230ebefcf46e4bbae2
Instruction ID: 12d48b244f99293f42acedc32584ef4ff9e6105426d75bae2c75d90d66228b58
Opcode Fuzzy Hash: 6d01acea836dd96b47c2c5e0993a22bc70c2472d024c1f230ebefcf46e4bbae2
Instruction Fuzzy Hash: 4B412C73A18A4682EB999B35E5543A933A4EB44794F144239CA4DC33B0CF3FE459D28E

Function 00007FF6E8D2D350 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF6E8D2D371
SetThreadPriority.KERNELBASE ref: 00007FF6E8D2D38D
ResumeThread.KERNELBASE ref: 00007FF6E8D2D396
FindCloseChangeNotification.KERNELBASE ref: 00007FF6E8D2D39F

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
String ID:
API String ID: 2150560229-0
Opcode ID: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
Instruction ID: 24b1d3fb1b90bc0b3ee6c5c05c7481155e5ec59c2ac406328e454b2b4b09cc6a
Opcode Fuzzy Hash: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
Instruction Fuzzy Hash: D6E06DA6A1571282FB259B71A8283396350BF98BC5F084034DD8E963A4EF3E9155868C

Function 00007FF6E8D32570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6E8D325A7
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6E8D3266C

Strings

@, xrefs: 00007FF6E8D32664

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
Instruction ID: f8bbc5146ee165e9ecdc28c6303241481f6f6751a102b8a2b10398ac37a694dd
Opcode Fuzzy Hash: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
Instruction Fuzzy Hash: D2412963F19B4649E956CB36911833992927F49BC2F18C731ED0EA2744FF3EE885860D

Function 00007FF6E8D38DCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF6E8D38E2E
GetTickCount64.KERNEL32 ref: 00007FF6E8D38EB3

Strings

D), xrefs: 00007FF6E8D38F57

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Count64Tick
String ID: D)
API String ID: 1927824332-848725745
Opcode ID: 738b33bdc5b30434fa873a3cc482db2f0a1aff3c0c979400cab83d7b5406ce2f
Instruction ID: c20c27659e7bc35cae15741762dc0cde7cd895defbfba005042cfe4848197f52
Opcode Fuzzy Hash: 738b33bdc5b30434fa873a3cc482db2f0a1aff3c0c979400cab83d7b5406ce2f
Instruction Fuzzy Hash: 1F416D33E1964689EA658B31E4483BD2390BF40780F154736C90DE36A4DE3FE959A34F

Function 00007FF6E8D32E10 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF6E8D36968,?,?,0000000B,00007FF6E8D35830,?,?,00000000,00007FF6E8D2FBF1), ref: 00007FF6E8D32E37
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF6E8D36968,?,?,0000000B,00007FF6E8D35830,?,?,00000000,00007FF6E8D2FBF1), ref: 00007FF6E8D32E57
VirtualAllocExNuma.KERNEL32 ref: 00007FF6E8D32E78

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
Instruction ID: af99809a88ab0307066986181f13bdd4a042a46f725b0fa4e8547cb5e4c9371b
Opcode Fuzzy Hash: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
Instruction Fuzzy Hash: ECF04472B1869182E7208F16F404719A760BB49BD5F584135EF8C67B6CDF3DD5918708

Function 00007FF6E8D32DD0 Relevance: 2.5, APIs: 2, Instructions: 17
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FF6E8D32DE6
VirtualFree.KERNELBASE ref: 00007FF6E8D32DFC

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
Instruction ID: ec553add9051778baabad0ec119b96753aeddacbdaea1fa0421f9372e54a441e
Opcode Fuzzy Hash: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
Instruction Fuzzy Hash: 8BE0C235F2A20182EB2C9F33A84676813916F4DB50FC0C038C40D93350EE3EA55B8F8A

Function 00007FF6E8DCCFB0 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF6E8DCCE70,?,?,00000030), ref: 00007FF6E8DCD029

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d260e6bf7434607846c4d61dd018d3f30570e5d6e4ce6bbd326d91653f400847
Instruction ID: d28a52cdec69cd8e3bb3959a35427373adaccb526bbc70694d5d703ef54a39d9
Opcode Fuzzy Hash: d260e6bf7434607846c4d61dd018d3f30570e5d6e4ce6bbd326d91653f400847
Instruction Fuzzy Hash: F831B223E0861685FA12AB75EC117FD62606F44794F540235DE0DEB786DE3EA88AC34E

Function 00007FF6E8D22AB0 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E8D2CE60: GetCurrentThreadId.KERNEL32 ref: 00007FF6E8D2CE64

Part of subcall function 00007FF6E8D2E660: VirtualQuery.KERNEL32 ref: 00007FF6E8D2E692

RaiseFailFastException.KERNEL32 ref: 00007FF6E8D22B36

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: c64ecd0e409d3fcf1060a1dc3232f901697416edb1e454c4f82bff6a62ba27d3
Instruction ID: 7980493a4baac2de67820530f02d63c9a4379d27701e8994e5418ae1ca33db9a
Opcode Fuzzy Hash: c64ecd0e409d3fcf1060a1dc3232f901697416edb1e454c4f82bff6a62ba27d3
Instruction Fuzzy Hash: D4114C72A08B8282D764AF25B4012AAB350F7457B0F544339E6BD477D6DF3DD14A870A

Function 00007FF6E8D32EA0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF6E8D32EAA

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
Instruction ID: 1a9f4ffe1257d6547e7e312cf83ca45f82e5e911f14c2041e647967e8caf5a69
Opcode Fuzzy Hash: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
Instruction Fuzzy Hash: 0EB01200F2A111C2E3182B337C82B0C03142B09B62FC40024C608F1350CD3DC1E51B19

Non-executed Functions

Function 00007FF6E8D33130 Relevance: 123.1, Strings: 98, Instructions: 569COMMON

Download Yara Rule

Strings

GCHeapHardLimitSOHPercent, xrefs: 00007FF6E8D33980
System.GC.Path, xrefs: 00007FF6E8D33A85, 00007FF6E8D33A9D
BGCMemGoal, xrefs: 00007FF6E8D336EF
HeapCount, xrefs: 00007FF6E8D3339B
System.GC.NoAffinitize, xrefs: 00007FF6E8D33220
GCDynamicAdaptationMode, xrefs: 00007FF6E8D33AFC
BGCFLkp, xrefs: 00007FF6E8D33767
GCLogFile, xrefs: 00007FF6E8D3364E
GCHeapHardLimitLOHPercent, xrefs: 00007FF6E8D339A5
System.GC.HeapHardLimitSOH, xrefs: 00007FF6E8D3390B
GCNumaAware, xrefs: 00007FF6E8D33287
BGCFLEnableFF, xrefs: 00007FF6E8D338CF, 00007FF6E8D33A17
System.GC.CpuGroup, xrefs: 00007FF6E8D332A8
System.GC.HeapCount, xrefs: 00007FF6E8D3338C
BGCFLGradualD, xrefs: 00007FF6E8D337FD
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF6E8D33971
GCRegionSize, xrefs: 00007FF6E8D3360D
BGCSpin, xrefs: 00007FF6E8D3336E
ConfigLogEnabled, xrefs: 00007FF6E8D33266
System.GC.DTargetTCP, xrefs: 00007FF6E8D33B0F
ConservativeGC, xrefs: 00007FF6E8D33198
GCEnabledInstructionSets, xrefs: 00007FF6E8D339D7
ConcurrentGC, xrefs: 00007FF6E8D33185
RetainVM, xrefs: 00007FF6E8D331EC
GCRegionRange, xrefs: 00007FF6E8D335EF
GCHeapHardLimit, xrefs: 00007FF6E8D3359C
System.GC.LargePages, xrefs: 00007FF6E8D332D8
System.GC.Concurrent, xrefs: 00007FF6E8D33173
BGCFLSweepGoalLOH, xrefs: 00007FF6E8D33749
BreakOnOOM, xrefs: 00007FF6E8D331FF
System.GC.HighMemoryPercent, xrefs: 00007FF6E8D334F3
BGCG2RatioStep, xrefs: 00007FF6E8D338ED
BGCFLEnableSmooth, xrefs: 00007FF6E8D33893
System.GC.Name, xrefs: 00007FF6E8D33A38, 00007FF6E8D33A50
GCHighMemPercent, xrefs: 00007FF6E8D33502
BGCFLEnableKd, xrefs: 00007FF6E8D33875
BGCMLkp, xrefs: 00007FF6E8D33826
GCHeapHardLimitPOHPercent, xrefs: 00007FF6E8D339C4
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF6E8D3399B
GCConfigLogFile, xrefs: 00007FF6E8D33692
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF6E8D339B5
LogFileSize, xrefs: 00007FF6E8D33448
GCLowSkipRatio, xrefs: 00007FF6E8D3356F
CompactRatio, xrefs: 00007FF6E8D33466
BGCMLki, xrefs: 00007FF6E8D33839
GCSpinCountUnit, xrefs: 00007FF6E8D33ACF
MaxHeapCount, xrefs: 00007FF6E8D333BD
GCHeapHardLimitLOH, xrefs: 00007FF6E8D3393C
GCCpuGroup, xrefs: 00007FF6E8D332BA
GCDTargetTCP, xrefs: 00007FF6E8D33B1E
GCGen0MaxBudget, xrefs: 00007FF6E8D33533
BGCFLEnableKi, xrefs: 00007FF6E8D33857
BGCFLki, xrefs: 00007FF6E8D33785
System.GC.HeapHardLimitPOH, xrefs: 00007FF6E8D3394F
System.GC.MaxHeapCount, xrefs: 00007FF6E8D333AE
GCHeapAffinitizeMask, xrefs: 00007FF6E8D33493
GCPath, xrefs: 00007FF6E8D33A8C, 00007FF6E8D33AAF
System.GC.DynamicAdaptationMode, xrefs: 00007FF6E8D33AED
System.GC.HeapHardLimit, xrefs: 00007FF6E8D3358D
System.GC.RetainVM, xrefs: 00007FF6E8D331DA
GCTotalPhysicalMemory, xrefs: 00007FF6E8D335D1
LogFile, xrefs: 00007FF6E8D3365F
GCGen1MaxBudget, xrefs: 00007FF6E8D33551
System.GC.HeapAffinitizeRanges, xrefs: 00007FF6E8D334A6, 00007FF6E8D334C7
System.GC.HeapAffinitizeMask, xrefs: 00007FF6E8D33484
BGCFLff, xrefs: 00007FF6E8D337C1
HeapVerifyLevel, xrefs: 00007FF6E8D332F2
System.GC.LOHThreshold, xrefs: 00007FF6E8D3332E
GCProvModeStress, xrefs: 00007FF6E8D33515
ForceCompact, xrefs: 00007FF6E8D331B9
Gen0Size, xrefs: 00007FF6E8D333D0
BGCFLSmoothFactor, xrefs: 00007FF6E8D337DF
LOHThreshold, xrefs: 00007FF6E8D3333D
LOHCompactionMode, xrefs: 00007FF6E8D33310, 00007FF6E8D33350
GCName, xrefs: 00007FF6E8D33A3F, 00007FF6E8D33A62
SegmentSize, xrefs: 00007FF6E8D333EE
BGCFLTuningEnabled, xrefs: 00007FF6E8D336D1
GCHeapHardLimitSOH, xrefs: 00007FF6E8D3391A
NoAffinitize, xrefs: 00007FF6E8D33232
BGCFLEnableTBH, xrefs: 00007FF6E8D338B1
GCLargePages, xrefs: 00007FF6E8D332E2
LatencyLevel, xrefs: 00007FF6E8D3342A
System.GC.HeapHardLimitLOH, xrefs: 00007FF6E8D3392D
GCConserveMem, xrefs: 00007FF6E8D33A04
GCHeapHardLimitPOH, xrefs: 00007FF6E8D3395E
LogEnabled, xrefs: 00007FF6E8D33245
System.GC.HeapHardLimitPercent, xrefs: 00007FF6E8D335AF
BGCFLSweepGoal, xrefs: 00007FF6E8D3372B
LatencyMode, xrefs: 00007FF6E8D3340C
ServerGC, xrefs: 00007FF6E8D3315A
GCEnableSpecialRegions, xrefs: 00007FF6E8D3362B
GCHeapHardLimitPercent, xrefs: 00007FF6E8D335BE
ConfigLogFile, xrefs: 00007FF6E8D336A3
System.GC.ConserveMemory, xrefs: 00007FF6E8D339F5
System.GC.Server, xrefs: 00007FF6E8D3314B
GCHeapAffinitizeRanges, xrefs: 00007FF6E8D334B2, 00007FF6E8D334D3
BGCMemGoalSlack, xrefs: 00007FF6E8D3370D
BGCFLkd, xrefs: 00007FF6E8D337A3

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
API String ID: 0-1379766591
Opcode ID: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
Instruction ID: dcc31fa36a7392fa3f27b4d82f4a2eee49782953278cf07dba11df2b73f7b2ff
Opcode Fuzzy Hash: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
Instruction Fuzzy Hash: BE427E72A18A5681EB209B35F910BE963A5FF457C8F411232D98C87B24DF3ED246C74E

Function 00007FF6E8D33EF0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON

Download Yara Rule

Strings

GCHeapHardLimitSOHPercent, xrefs: 00007FF6E8D348B2
GCHeapHardLimitLOH, xrefs: 00007FF6E8D34856
GCDTargetTCP, xrefs: 00007FF6E8D34A13
GCCpuGroup, xrefs: 00007FF6E8D340A0
gcConservative, xrefs: 00007FF6E8D33F4F
BGCMemGoal, xrefs: 00007FF6E8D3453F
GCGen0MaxBudget, xrefs: 00007FF6E8D3439B
BGCFLEnableKi, xrefs: 00007FF6E8D3472B
BGCFLki, xrefs: 00007FF6E8D3460C
System.GC.HeapHardLimitPOH, xrefs: 00007FF6E8D34884
System.GC.MaxHeapCount, xrefs: 00007FF6E8D341F2
GCConserveMemory, xrefs: 00007FF6E8D34965
System.GC.NoAffinitize, xrefs: 00007FF6E8D33FF4
GCDynamicAdaptationMode, xrefs: 00007FF6E8D349E5
GCHeapAffinitizeMask, xrefs: 00007FF6E8D3431D
gcServer, xrefs: 00007FF6E8D33F02
System.GC.DynamicAdaptationMode, xrefs: 00007FF6E8D349DE
BGCFLkp, xrefs: 00007FF6E8D345E3
GCHeapCount, xrefs: 00007FF6E8D341CB
System.GC.HeapHardLimit, xrefs: 00007FF6E8D34416
GCRetainVM, xrefs: 00007FF6E8D33FA6
System.GC.RetainVM, xrefs: 00007FF6E8D33F9F
GCTotalPhysicalMemory, xrefs: 00007FF6E8D34472
GCGen1MaxBudget, xrefs: 00007FF6E8D343C4
GCHeapHardLimitLOHPercent, xrefs: 00007FF6E8D348E0
System.GC.HeapAffinitizeMask, xrefs: 00007FF6E8D34316
System.GC.HeapHardLimitSOH, xrefs: 00007FF6E8D34821
GCCompactRatio, xrefs: 00007FF6E8D342ED
BGCFLff, xrefs: 00007FF6E8D3465E
GCNumaAware, xrefs: 00007FF6E8D34071
BGCFLEnableFF, xrefs: 00007FF6E8D347CF
System.GC.LOHThreshold, xrefs: 00007FF6E8D34144
System.GC.CpuGroup, xrefs: 00007FF6E8D34099
GCLOHThreshold, xrefs: 00007FF6E8D3414B
GCProvModeStress, xrefs: 00007FF6E8D34372
System.GC.HeapCount, xrefs: 00007FF6E8D341C4
gcForceCompact, xrefs: 00007FF6E8D33F77
HeapVerify, xrefs: 00007FF6E8D340F3
BGCFLGradualD, xrefs: 00007FF6E8D346B0
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF6E8D348AB
GCRegionSize, xrefs: 00007FF6E8D344CD
BGCFLSmoothFactor, xrefs: 00007FF6E8D34690
BGCSpin, xrefs: 00007FF6E8D3419B
System.GC.DTargetTCP, xrefs: 00007FF6E8D34A0C
GCSegmentSize, xrefs: 00007FF6E8D34249
GCLatencyMode, xrefs: 00007FF6E8D34272
gcConcurrent, xrefs: 00007FF6E8D33F29
GCEnabledInstructionSets, xrefs: 00007FF6E8D34935
GCMaxHeapCount, xrefs: 00007FF6E8D341F9
GCHeapHardLimit, xrefs: 00007FF6E8D3441D
GCRegionRange, xrefs: 00007FF6E8D3449B
System.GC.LargePages, xrefs: 00007FF6E8D340C6
BGCFLTuningEnabled, xrefs: 00007FF6E8D34516
GCHeapHardLimitSOH, xrefs: 00007FF6E8D34828
System.GC.Concurrent, xrefs: 00007FF6E8D33F22
BGCFLEnableTBH, xrefs: 00007FF6E8D347A6
GCLargePages, xrefs: 00007FF6E8D340CD
BGCFLSweepGoalLOH, xrefs: 00007FF6E8D345BA
System.GC.HeapHardLimitLOH, xrefs: 00007FF6E8D3484F
System.GC.HighMemoryPercent, xrefs: 00007FF6E8D34344
GCLogFileSize, xrefs: 00007FF6E8D342CD
GCLatencyLevel, xrefs: 00007FF6E8D3429B
BGCG2RatioStep, xrefs: 00007FF6E8D347F8
BGCFLEnableSmooth, xrefs: 00007FF6E8D3477D
GCHeapHardLimitPOH, xrefs: 00007FF6E8D3488B
GCgen0size, xrefs: 00007FF6E8D34220
GCHighMemPercent, xrefs: 00007FF6E8D3434B
GCBreakOnOOM, xrefs: 00007FF6E8D33FCC
System.GC.HeapHardLimitPercent, xrefs: 00007FF6E8D34444
BGCFLEnableKd, xrefs: 00007FF6E8D34754
BGCFLSweepGoal, xrefs: 00007FF6E8D34591
GCWriteBarrier, xrefs: 00007FF6E8D3498C
BGCMLkp, xrefs: 00007FF6E8D346D9
GCHeapHardLimitPOHPercent, xrefs: 00007FF6E8D3490E
BGCSpinCount, xrefs: 00007FF6E8D34172
GCHeapHardLimitPercent, xrefs: 00007FF6E8D3444B
GCEnableSpecialRegions, xrefs: 00007FF6E8D344ED
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF6E8D348D9
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF6E8D34907
System.GC.ConserveMemory, xrefs: 00007FF6E8D3495E
GCLowSkipRatio, xrefs: 00007FF6E8D343ED
GCConfigLogEnabled, xrefs: 00007FF6E8D34049
GCLogEnabled, xrefs: 00007FF6E8D34021
GCNoAffinitize, xrefs: 00007FF6E8D33FFB
System.GC.Server, xrefs: 00007FF6E8D33EFB
GCLOHCompact, xrefs: 00007FF6E8D3411B
GCSpinCountUnit, xrefs: 00007FF6E8D349B5
BGCMLki, xrefs: 00007FF6E8D34702
BGCMemGoalSlack, xrefs: 00007FF6E8D34568
BGCFLkd, xrefs: 00007FF6E8D34635

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1492036319
Opcode ID: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
Instruction ID: a03165b1e106ce4cded03c6d082fca45f37d3c8b5ed091029055fa84a876cd5d
Opcode Fuzzy Hash: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
Instruction Fuzzy Hash: F862B132E29B8B94EA01DB75A8543E127A1EF557D0F444232C44CC7262EE3FA159E39F

Function 00007FF6E8D32F60 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6E8D32F9C
GetCurrentProcess.KERNEL32 ref: 00007FF6E8D32FC4
OpenProcessToken.ADVAPI32 ref: 00007FF6E8D32FD7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6E8D32FFC
GetLastError.KERNEL32 ref: 00007FF6E8D33004
CloseHandle.KERNEL32 ref: 00007FF6E8D33011
GetLargePageMinimum.KERNEL32 ref: 00007FF6E8D33026
VirtualAlloc.KERNEL32 ref: 00007FF6E8D33057
GetCurrentProcess.KERNEL32 ref: 00007FF6E8D33063
VirtualAllocExNuma.KERNEL32 ref: 00007FF6E8D33083

Strings

SeLockMemoryPrivilege, xrefs: 00007FF6E8D32F95

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
Instruction ID: b4f8f96228693e4d32cc21c24a68df4e627d0278d4c4d1b6d8671814297b294e
Opcode Fuzzy Hash: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
Instruction Fuzzy Hash: 5231A133A1CB4286FB209BB1F50877A67A1EB84BC4F000135DA8D97769DE3ED448874E

Function 00007FF6E8D26ED0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8D27871), ref: 00007FF6E8D26F88
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8D27871), ref: 00007FF6E8D270DB
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8D27871), ref: 00007FF6E8D271B3
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8D27871), ref: 00007FF6E8D271C9
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8D27871), ref: 00007FF6E8D27245

Strings

[ KeepUnwinding ], xrefs: 00007FF6E8D271E4

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
Instruction ID: 693a3b4e6708a63bfc84e51af279404015bac0b5bf44a506e948d6afd0b483e9
Opcode Fuzzy Hash: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
Instruction Fuzzy Hash: CAB12933A09B4281EB64CF35E4407A923A5FB44B68F584236DA4D87398DF3EE459C35A

Function 00007FF6E8D8BA10 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6E8D8BA3C
GetCurrentThreadId.KERNEL32 ref: 00007FF6E8D8BA4A
GetCurrentProcessId.KERNEL32 ref: 00007FF6E8D8BA56
QueryPerformanceCounter.KERNEL32 ref: 00007FF6E8D8BA66

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
Instruction ID: af7fe1bb5aec07faff1687d06b9e96859326d18a9331ab669c87a2306576567a
Opcode Fuzzy Hash: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
Instruction Fuzzy Hash: 51114C22B14F028AEB009F70E8542A933A4FB18798F041E31DA6D837A8DF78D1548384

Function 00007FF6E8D531E0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF6E8D5329C
SwitchToThread.KERNEL32 ref: 00007FF6E8D532A5

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 9c30da41b46e678a752cba94ff24b9c9e844bb868ff036e56f0bec62d5d1427a
Instruction ID: 76721a7f639f2e60e7106e1ea2360103318809ff79db6f70f0a8e0280bbddf00
Opcode Fuzzy Hash: 9c30da41b46e678a752cba94ff24b9c9e844bb868ff036e56f0bec62d5d1427a
Instruction Fuzzy Hash: E7B15B73A19B42C6EA188B78D4443B833A0FF45B94F544736DA1DC72A5DE3EE458838E

Function 00007FF6E8D3D620 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6E8D3D816
LeaveCriticalSection.KERNEL32 ref: 00007FF6E8D3D830

Strings

@, xrefs: 00007FF6E8D3D83A

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: @
API String ID: 3168844106-2766056989
Opcode ID: 5db7b6a377614d9f480f265109a2fe80749a182d1a3adcd727705f5ae378369e
Instruction ID: 94d223ef27747ee4785c5a79d8f90d1cb42a857dbf87f49e475b7bc9e4a33b30
Opcode Fuzzy Hash: 5db7b6a377614d9f480f265109a2fe80749a182d1a3adcd727705f5ae378369e
Instruction Fuzzy Hash: 1E914833E2964285FB629B35A8443B423A0AF457D4F180335D90DC36A5DE2FF858EB5E

Function 00007FF6E8D5E8E0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF6E8D5EA55
SwitchToThread.KERNEL32 ref: 00007FF6E8D5EA85

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
Instruction ID: d46ea87a75e3daad9d7b76207601e71345f1cdee682985c595e2da2e31c1f3fe
Opcode Fuzzy Hash: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
Instruction Fuzzy Hash: 46E16F33A09B91C6EB609F25E4403A9B364FB44B94F544232DA9D83798DF3DE449CB4E

Function 00007FF6E8D32080 Relevance: 3.2, APIs: 2, Instructions: 175COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6E8D2828B,?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D3211F
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6E8D2828B,?,?,?,?,?,?,00007FF6E8D22000), ref: 00007FF6E8D3217C

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
Instruction ID: 7ad90f8175b3a71efde68cf865cf9eab0d7d2dd189648be90db006563fdff08e
Opcode Fuzzy Hash: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
Instruction Fuzzy Hash: 8151E237F082220AFF68046D985D77542875BE5366F568638DA5EE36C2CD7FEC0A420E

Function 00007FF6E8D4C7D0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6E8D4C896
LeaveCriticalSection.KERNEL32 ref: 00007FF6E8D4C8B0

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: d59cc5cb1b18531cba8ca60925d5e3cb69ecf232ff52c5df66362fa8286c3256
Instruction ID: a24f5c207783db7d502d1e1fc53bbc16284e2bcf376f12267c6de68729f81401
Opcode Fuzzy Hash: d59cc5cb1b18531cba8ca60925d5e3cb69ecf232ff52c5df66362fa8286c3256
Instruction Fuzzy Hash: D1418033B28A5681EB109F36A5503B963A4FF88BC4B185236DE4C93B55DF3EE016834D

Function 00007FF6E8D54B10 Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6E8D5505B

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
Instruction ID: 154fd31eec7e9dbe96925af4bf9a13573b3becfddbd0a004223dc718ff8440aa
Opcode Fuzzy Hash: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
Instruction Fuzzy Hash: 20426A73A29B86C1EA128B65E9107B837A1FB447E4F544332CA6D83790DF3EE454934E

Function 00007FF6E8D402A0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF6E8D402EB

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
Instruction ID: e1d4f3abd04edb161f8c66ee3e952f93738ced9c33237a05d6cca536cefc9a33
Opcode Fuzzy Hash: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
Instruction Fuzzy Hash: A412CD33A18B4A82EB54CB21E4447A973A5FB94B94F144331CA5E83794CF3EE84AC74D

Function 00007FF6E8D2BF90 Relevance: 1.6, Strings: 1, Instructions: 362COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF6E8D2C2B3

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
Instruction ID: ffb216dc257d49f8752670c18d3a2811b8323450518f79cd94c08f7b027cae4d
Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
Instruction Fuzzy Hash: 49D1CDB3B10B4983E7189F39A40566932A2EB45BE8F141335DE5D47B98CE3DE918C748

Function 00007FF6E8DF0D30 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,00000010,0000022E8D4002C0,?,?,00000000,?,?,00007FF6E8DBE953), ref: 00007FF6E8DF0D86

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
Instruction ID: eca6f1be20d028214924e544d0bb3886225f881d75091dbaa5a47e1eb1c36513
Opcode Fuzzy Hash: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
Instruction Fuzzy Hash: 0A01E533F04B549AEB21DBB5AC015ED76B4B758318F60023AEE4DA7A48EF34A856C744

Function 00007FF6E8D381F0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

/1, xrefs: 00007FF6E8D38512

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID: /1
API String ID: 0-2817764555
Opcode ID: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
Instruction ID: 5da276687594b95f276a1fa8523674b6de6e33133bd43e242089475db398ed1d
Opcode Fuzzy Hash: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
Instruction Fuzzy Hash: 6FD16F33A59B8682E7608B34E8443B923A1FF48798F154235C94D93761DF3EE859D34E

Function 00007FF6E8D558C0 Relevance: 1.0, Instructions: 950COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25344163fb3e352c34538291974fad36bcb5627af75f838acfed12e2fba72d91
Instruction ID: 7097690d5cae6a68c7fd8437a83a37395b780b30ad144a2206a384bb67ea0098
Opcode Fuzzy Hash: 25344163fb3e352c34538291974fad36bcb5627af75f838acfed12e2fba72d91
Instruction Fuzzy Hash: 1A92BD73A28B0685EA029B75A9507B463A5FF48BC4F584337D80ED3761DE3EE449834E

Function 00007FF6E8D567E0 Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
Instruction ID: 0225a3586973f3313de1c57b03c7191b60ed3202812ed69a3e8e57af86000491
Opcode Fuzzy Hash: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
Instruction Fuzzy Hash: 7052AB33B18B45C6EB108F75E4402AD77B1FB48B98B144636EE4E97B98CE3AE445870D

Function 00007FF6E8D571B0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
Instruction ID: e73b83e375ddc2d13fe70a5a92af95f277df5a046fe0624c33c6a9ff05da20fc
Opcode Fuzzy Hash: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
Instruction Fuzzy Hash: AF327E33B19B46C6EB108BB5D5407BC27A1FB04BA8B244636CE1D97B84DE39E459C34E

Function 00007FF6E8D46C90 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
Instruction ID: b118f299aefd44842ecef92d6e7628159c526c572731a829892366c774bc59ee
Opcode Fuzzy Hash: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
Instruction Fuzzy Hash: 0D1280B3A1AB9A81EE658B28D04436867A0FF54BA4F149335CE6C833D4DF3ED495C24D

Function 00007FF6E8DD7F40 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
Instruction ID: 7a9368d07408b008c4505d05e2f3e96b818e1dd5f5ce71d06e769e6699c5cf0d
Opcode Fuzzy Hash: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
Instruction Fuzzy Hash: F6F16963F2854242F73A47389C017B96252EFD1304F589734DA4E96BD8EE3EA45D8F0A

Function 00007FF6E8D41D60 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
Instruction ID: e9d31c395f430899a87a699ee0e24408fe6dba7438a5f6bb73c7f5bd36101c54
Opcode Fuzzy Hash: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
Instruction Fuzzy Hash: 7E02A073A19A868AEA048B35D4447BC77A0EB85BA4F444335DA2D877D0CF3EE446D34E

Function 00007FF6E8D417B4 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
Instruction ID: b4a698fa099fdc7ca160bbcb644b4f2ead3dad8764b857e716ad8ef0cbdc7895
Opcode Fuzzy Hash: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
Instruction Fuzzy Hash: A5029173E29B4685EE128B35D5503B467A0BF95794F284335C94E933A0DF3EE48A824E

Function 00007FF6E8D2B6F0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
Instruction ID: 4193b4e3dac9e8cd549f4d6682b4cd5fd82b4c684c9dff13c6d691bd73043183
Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
Instruction Fuzzy Hash: 49D1AAB3B14B8983DB598F25E084BA837A9E758BC8F444135DE0E4BB58CF39D648C758

Function 00007FF6E8DADD30 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a4a12b91c2d5bd1856623fb6e16607a499bd9f8d9650a84f116bfe847d2354
Instruction ID: c09f639bf585f608a37dc9af20a41ba54d408931a432550489f5e1f9453189bc
Opcode Fuzzy Hash: 99a4a12b91c2d5bd1856623fb6e16607a499bd9f8d9650a84f116bfe847d2354
Instruction Fuzzy Hash: 6B61E112E2950795F909FF36AC112F8A2311F9A790F582530DD5ED77A3ED2EE048870E

Function 00007FF6E8D4BC80 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
Instruction ID: 4f3a6940bbbde789adbc4f1f5ed0fddc76d2ac3f75995f83aed325d878a4294c
Opcode Fuzzy Hash: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
Instruction Fuzzy Hash: 1BC17933A28A4681EA008B75A8507B877A4FB957E0F044736C96DC37A1DF3EE456D34E

Function 00007FF6E8D55490 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
Instruction ID: 0045e517c6b6b0c74c2d17032e34cdde8e7873a7e042b1c3ae18b6b017e7599a
Opcode Fuzzy Hash: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
Instruction Fuzzy Hash: 39C15933A28B86C1EA018B65E8103A877A5FF44BE4B544336C96D877A0DF3EE455D34E

Function 00007FF6E8D282D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
Instruction ID: 80021dc3a81b29a56992f53591bf5421d90b83c40dd2f48121fe6410796c6177
Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
Instruction Fuzzy Hash: 3D91DBB3A10B5587EB18CF29D84126833A1F754BA8F105339DE6953B98DF3DD825CB48

Function 00007FF6E8E5D7E0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bef39161097e9df54091f6f8947ac5f1bb2ebaed7a10930231bbe4d97c59e0
Instruction ID: ba450211fa865216bbce32e17a84061c659ecb5d058be2f838303728b7e11075
Opcode Fuzzy Hash: d0bef39161097e9df54091f6f8947ac5f1bb2ebaed7a10930231bbe4d97c59e0
Instruction Fuzzy Hash: CE41EF63A095529AE605AF32ED407FD6611AF88FC0F488131ED0DC77A6ED2EE505834E

Function 00007FF6E8D39A90 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
Instruction ID: 58e5b619dd5a8fbfa3a1b6f8e559bb5d0c2922a5c2260494d2edcebd335726ce
Opcode Fuzzy Hash: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
Instruction Fuzzy Hash: 44414963F2CB0E51E9068B3765853745182AF5B3D0E28C732D82DA77D5EF2EB894920D

Function 00007FF6E8D4C0A0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
Instruction ID: 963eae9998d6caaee16545a804be2bf192ca9031c84cb64999128dcab48af92c
Opcode Fuzzy Hash: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
Instruction Fuzzy Hash: B1412522F16B4A41EA15877A5141BB95252AFD97C4F0CC732D90FA77A0EF3EF486820D

Function 00007FF6E8DE3D20 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
Instruction ID: 4e2853df459f85aa14976e3ba35bb735f1f7afadbef0f440c953c1538ac330d3
Opcode Fuzzy Hash: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
Instruction Fuzzy Hash: 2D31F933F0954582EB6D9F36D4811BCA351EB45BD4B489231CE0D833A4DE2EEC9A874D

Function 00007FF6E8D529B0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f6a76dfd64ef7b78e5c6641dc319f4b652810589be1d7a6d8d44123e559c2a
Instruction ID: dbd4a54d596fdecf58277c0592e0b612f496a67d94244432c9dca40418bc8d21
Opcode Fuzzy Hash: 58f6a76dfd64ef7b78e5c6641dc319f4b652810589be1d7a6d8d44123e559c2a
Instruction Fuzzy Hash: 6A21FC23F2834286FBB49B7AA29277E1351EB897C0F486231DE5C43A46DD2FD499470D

Function 00007FF6E8D239D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID:
API String ID: 3706814929-0
Opcode ID: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
Instruction ID: 8b1fdff716e7f9ec5d92bbdb5df7c1c7d19f422623ce04c07d495db8a74db39a
Opcode Fuzzy Hash: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
Instruction Fuzzy Hash: BC21F223B2858642FB249E6AE450FBAA215EBC4790F404130EE4E83AA4DD3ED008C70D

Function 00007FF6E8D21C50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d970be861cd335eefdf12fe82d3e44501331a57d5991168e1a8962bd367bcf6
Instruction ID: 80d33f34c5722b70a5899966c884795db58230ea26ce4a3f367269df60b42be8
Opcode Fuzzy Hash: 1d970be861cd335eefdf12fe82d3e44501331a57d5991168e1a8962bd367bcf6
Instruction Fuzzy Hash: D1F08C12E2940791E905BF36E8022F4A2211F9A340F582530DC1EE7A93BE2EE418430E

Function 00007FF6E8D23000 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6E8D2CF00
GetProcAddress.KERNEL32 ref: 00007FF6E8D2CF13
GetCurrentProcess.KERNEL32 ref: 00007FF6E8D2CF25
VerSetConditionMask.KERNEL32 ref: 00007FF6E8D2CF8B
VerSetConditionMask.KERNEL32 ref: 00007FF6E8D2CF9B
VerSetConditionMask.KERNEL32 ref: 00007FF6E8D2CFAB
VerifyVersionInfoW.KERNEL32 ref: 00007FF6E8D2CFD3
GetProcAddress.KERNEL32 ref: 00007FF6E8D2CFE7
GetLastError.KERNEL32 ref: 00007FF6E8D2D03E
SuspendThread.KERNEL32 ref: 00007FF6E8D2D058
GetThreadContext.KERNEL32 ref: 00007FF6E8D2D079
ResumeThread.KERNEL32 ref: 00007FF6E8D2D0B3

Strings

kernel32, xrefs: 00007FF6E8D2CEF3
IsWow64Process2, xrefs: 00007FF6E8D2CF09
QueueUserAPC2, xrefs: 00007FF6E8D2CFDD

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
String ID: IsWow64Process2$QueueUserAPC2$kernel32
API String ID: 2652322181-269241671
Opcode ID: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
Instruction ID: 669eb99c4f33d10213cae818e0fb31615d12b78db042c11e1acde7a649d9aeb0
Opcode Fuzzy Hash: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
Instruction Fuzzy Hash: D9517D32A0864281EA65DB31E9447B923A1EF85BA0F001335D99DC77A4DF3EE40A875E

Function 00007FF6E8D23007 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6E8D2CF00
GetProcAddress.KERNEL32 ref: 00007FF6E8D2CF13
GetCurrentProcess.KERNEL32 ref: 00007FF6E8D2CF25
VerSetConditionMask.KERNEL32 ref: 00007FF6E8D2CF8B
VerSetConditionMask.KERNEL32 ref: 00007FF6E8D2CF9B
VerSetConditionMask.KERNEL32 ref: 00007FF6E8D2CFAB
VerifyVersionInfoW.KERNEL32 ref: 00007FF6E8D2CFD3
GetProcAddress.KERNEL32 ref: 00007FF6E8D2CFE7
GetLastError.KERNEL32 ref: 00007FF6E8D2D03E
SuspendThread.KERNEL32 ref: 00007FF6E8D2D058
GetThreadContext.KERNEL32 ref: 00007FF6E8D2D079
ResumeThread.KERNEL32 ref: 00007FF6E8D2D0B3

Strings

kernel32, xrefs: 00007FF6E8D2CEF3
IsWow64Process2, xrefs: 00007FF6E8D2CF09
QueueUserAPC2, xrefs: 00007FF6E8D2CFDD

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
String ID: IsWow64Process2$QueueUserAPC2$kernel32
API String ID: 2652322181-269241671
Opcode ID: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
Instruction ID: 77348211aed2961a3791a8e57bfbc212f5ca688c6e61c46b78f85378f7bab7cc
Opcode Fuzzy Hash: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
Instruction Fuzzy Hash: 8A518E32A1874281EA65DB31E9547B923A1FF89BD0F001235D98DC77A4DF3EE40A875E

Function 00007FF6E8D2DBD0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DC0E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DC36
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DC76
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DC96
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DCBA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DCDE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2DD02

Strings

GCHeapHardLimitSOHPercent, xrefs: 00007FF6E8D2DCB0
GCHeapHardLimitLOH, xrefs: 00007FF6E8D2DC6C
GCHeapHardLimitPOH, xrefs: 00007FF6E8D2DC8C
GCHeapHardLimitSOH, xrefs: 00007FF6E8D2DC4C
GCHeapHardLimitLOHPercent, xrefs: 00007FF6E8D2DCD4
GCHeapHardLimit, xrefs: 00007FF6E8D2DC07
GCHeapHardLimitPOHPercent, xrefs: 00007FF6E8D2DCF8
GCHeapHardLimitPercent, xrefs: 00007FF6E8D2DC2C

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
Instruction ID: 5577067646e7675a5a3a6b0f9dacd1d80673fa5af5967a92ab8ddd3dde418be8
Opcode Fuzzy Hash: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
Instruction Fuzzy Hash: 72418172E0CA4680F611AB3695043B41291AF457F4F440331DD3CDB6E9EF6EE88A934E

Function 00007FF6E8D2CBA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF6E8D23177), ref: 00007FF6E8D2CBC3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF6E8D23177), ref: 00007FF6E8D2CBD8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6E8D23177), ref: 00007FF6E8D2CBE5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF6E8D23177), ref: 00007FF6E8D2CC23
GetLastError.KERNEL32(?,?,?,?,?,00007FF6E8D23177), ref: 00007FF6E8D2CC31
InitializeContext.KERNEL32(?,?,?,?,?,00007FF6E8D23177), ref: 00007FF6E8D2CC85

Strings

kernel32.dll, xrefs: 00007FF6E8D2CBBC
InitializeContext2, xrefs: 00007FF6E8D2CBCE

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: 4faa34e522b81a6922513b62757b9b2305a4d9aa7d62287a7091f890ca87deb6
Instruction ID: a5c3827b9c221da4bbbefa39460144c65416e6471b0ac0c84555cb5a01202d4b
Opcode Fuzzy Hash: 4faa34e522b81a6922513b62757b9b2305a4d9aa7d62287a7091f890ca87deb6
Instruction Fuzzy Hash: E2316D33A19B5781EA10ABB5A4003B96390BF847D0F480535ED4D837A4DF7EE84AD75E

Function 00007FF6E8D233B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E8D2CE60: GetCurrentThreadId.KERNEL32 ref: 00007FF6E8D2CE64

GetCurrentProcess.KERNEL32 ref: 00007FF6E8D233F6
GetCurrentThread.KERNEL32 ref: 00007FF6E8D233FE
DuplicateHandle.KERNEL32 ref: 00007FF6E8D23422

Part of subcall function 00007FF6E8D2E660: VirtualQuery.KERNEL32 ref: 00007FF6E8D2E692

RaiseFailFastException.KERNEL32 ref: 00007FF6E8D23450

Strings

, xrefs: 00007FF6E8D23464

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: e3e0a65bc4f973e40a7d5c75bb7f7f943cf2642b959c91c2dbab2de6d3c60d57
Instruction ID: 36248072b823b25754be1a6ba88ff5e733e88c65733bd61747ad61703c2c66b8
Opcode Fuzzy Hash: e3e0a65bc4f973e40a7d5c75bb7f7f943cf2642b959c91c2dbab2de6d3c60d57
Instruction Fuzzy Hash: 6F118E73A08B818AD760EF25A4402DAB350FB457B4F140335E6BD4B7D6CF39D5468709

Function 00007FF6E8D57C50 Relevance: 7.6, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6E8D57D05
LeaveCriticalSection.KERNEL32 ref: 00007FF6E8D57D5E
EnterCriticalSection.KERNEL32 ref: 00007FF6E8D57E21
LeaveCriticalSection.KERNEL32 ref: 00007FF6E8D57E42
EnterCriticalSection.KERNEL32 ref: 00007FF6E8D57E85
LeaveCriticalSection.KERNEL32 ref: 00007FF6E8D57EA6

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 1666322e2a904ac0cf5b3a234637cb36e490dfc74a66e8185ec8efb97d466e7c
Instruction ID: 078aeb85740848e8442c3b514a11de6f872bc1114d66b24af7141126dc6f41b3
Opcode Fuzzy Hash: 1666322e2a904ac0cf5b3a234637cb36e490dfc74a66e8185ec8efb97d466e7c
Instruction Fuzzy Hash: FE615933A19B4684EA51AB25E8403F563A0FB447D4F540336D98C83765DF3FE849938E

Function 00007FF6E8D52F80 Relevance: 7.6, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6E8D53025
LeaveCriticalSection.KERNEL32 ref: 00007FF6E8D5307D

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b21c72c450b463f4920cee275832f193dea19a1ca35f9c4e2b50207979d5093b
Instruction ID: 0f5f68a86784d276d9cd3ed3cb7988764f908ed69154d4d56ab79a31fd04c724
Opcode Fuzzy Hash: b21c72c450b463f4920cee275832f193dea19a1ca35f9c4e2b50207979d5093b
Instruction Fuzzy Hash: 26516933919B8684EA61AB25E8403F573A4FF95384F440336D98C83A65EF3FE449974E

Function 00007FF6E8D23EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF6E8D23F50
RaiseFailFastException.KERNEL32 ref: 00007FF6E8D24059
RaiseFailFastException.KERNEL32 ref: 00007FF6E8D24096

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF6E8D23F3A

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
Instruction ID: e791fdd0134a2565b114bc301ea2c9720d8f619ea7d43a008aa2d3311e63299a
Opcode Fuzzy Hash: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
Instruction Fuzzy Hash: 6C518333B1865281EE548B35E5403B823A1EB48BA4F444636DA1D877A5DE3FE899930E

Function 00007FF6E8D61970 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF6E8D3C7EB), ref: 00007FF6E8D619EB
SwitchToThread.KERNEL32(?,?,?,00007FF6E8D3C7EB), ref: 00007FF6E8D61A92
SwitchToThread.KERNEL32(?,?,?,00007FF6E8D3C7EB), ref: 00007FF6E8D61AA8

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
Instruction ID: 233c30ab1abc20fdb7db5cf472d5eeecaf4766a96afad62abab080f2130fe37f
Opcode Fuzzy Hash: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
Instruction Fuzzy Hash: 4D41B633B2964A85EF508E36D14037D72A0EB01BD4F18833AC65EC6785DE3EE445A75E

Function 00007FF6E8D2CD10 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8D23541), ref: 00007FF6E8D2CD44
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8D23541), ref: 00007FF6E8D2CD4E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8D23541), ref: 00007FF6E8D2CD6D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8D23541), ref: 00007FF6E8D2CD81

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
Instruction ID: 02a0fc063b452b33f994001447404d39eb89fd0b88096b44bf47597b6f3ce8e0
Opcode Fuzzy Hash: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
Instruction Fuzzy Hash: 8411513660C65582D7348B26B45022AB761FB48791F540335FACD87B99CF3DD8048B4D

Function 00007FF6E8D8CF30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D8C243), ref: 00007FF6E8D8CF80
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E8D8C243), ref: 00007FF6E8D8CFC1

Strings

csm, xrefs: 00007FF6E8D8CFAE

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
Instruction ID: eb2bab39af74c8a9f3cbdb052d7749b30aeea4303649ae8fa3cc80111e13f9e5
Opcode Fuzzy Hash: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
Instruction Fuzzy Hash: 33114932619B4182EB608B25E400269B7E4FB88B94F588230EACD47B58DF3DC5558B08

Function 00007FF6E8D2E4E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF6E8D2DD43,?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2E51B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF6E8D2DD43,?,?,?,00007FF6E8D34107,?,?,?,?,00007FF6E8D2D115), ref: 00007FF6E8D2E558

Strings

HeapVerify, xrefs: 00007FF6E8D2E4EF

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
Instruction ID: 4394e6ee078a6b11918084f87e06b9ad3d61e215b908593740f9a6917215fde1
Opcode Fuzzy Hash: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
Instruction Fuzzy Hash: 9A01D272A18A4286E7049F21F880169B3A0FB44780F689131DA9D83B89DE3DE485870C

Function 00007FF6E8D45A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6E8D45BEF,?,?,?,00007FF6E8D533BB), ref: 00007FF6E8D45ABD
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6E8D45BEF,?,?,?,00007FF6E8D533BB), ref: 00007FF6E8D45B12
EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6E8D45BEF,?,?,?,00007FF6E8D533BB), ref: 00007FF6E8D45B2F
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6E8D45BEF,?,?,?,00007FF6E8D533BB), ref: 00007FF6E8D45B4C

Memory Dump Source

Source File: 00000000.00000002.2171199960.00007FF6E8D21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8D20000, based on PE: true

Associated: 00000000.00000002.2171183257.00007FF6E8D20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171313837.00007FF6E8E6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171354180.00007FF6E8EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171416662.00007FF6E8F6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171469647.00007FF6E8F70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e8d20000_PO454355 Pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a1fa865a0e94e1f8772bdde457da13c0df39fa8a2aff1e55c8e78e7da091c82e
Instruction ID: cb6478655d00df7888634abc1cdd5ff9718bcb1572c20d3da9a9f2f89ff4372a
Opcode Fuzzy Hash: a1fa865a0e94e1f8772bdde457da13c0df39fa8a2aff1e55c8e78e7da091c82e
Instruction Fuzzy Hash: 9A21B233E28A0681EA009F31A9503B923A4EF557E4F580335D96C83A95CF6FE55A834E

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO454355 Pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_ce89fc30-2665-47d9-b3d6-2c5173e453ca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER258B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2618.tmp.xml

C:\Users\user\AppData\Local\Temp\WER15BB.tmp.WERDataCollectionStatus.txt

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
PO454355 Pdf.exe

Function 00007FF6E8D32B90 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Function 00007FF6E8D28130 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105
COMMON

Function 00007FF6E8D8BDA4 Relevance: 3.2, APIs: 2, Instructions: 199
COMMONLIBRARYCODE

Function 00007FF6E8D32750 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96
COMMON

Function 00007FF6E8D2D0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Function 00007FF6E8D23630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
sleepCOMMON

Function 00007FF6E8D2D350 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Function 00007FF6E8D32570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Function 00007FF6E8D38DCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
COMMON

Function 00007FF6E8D32E10 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Function 00007FF6E8D32DD0 Relevance: 2.5, APIs: 2, Instructions: 17
memoryCOMMON

Function 00007FF6E8DCCFB0 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 00007FF6E8D22AB0 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON